Re: nm 0.7 on ubuntu ibex

[Dan Williams <dcbw redhat com>]

On Tue, 2008-12-02 at 01:12 -0700, Mike Butash wrote:
> Hi all,
> 
> I'd like to start by saying that I just updated my work laptop to ibex
> from gutsy, and it's almost amazing how much nm has improved.  For the
> first time in using ubuntu for about 4 years, it's actually gotten to
> the point it handles all my varied connections of wired/wireless/cdma
> and cisco vpn's without some kind of my own bastard scripts and hacks.
> I consult with customers using just about any kind of config for vpn and
> wireless, and it works pretty darn great so far.  Kudos to the team for
> making my life easier!
> 
> That being said, the more I tinkered with it, the more I found a few
> annoyances I was curious if anyone's fixed or considered dealing with as
> a long-term strategy.  I've been following the list for some time, and
> haven't seen any direct mention of these, so I figured either I'm weird,
> or no one else does what I do (yet), so I figure I'd mention them to see
> if I can offer some recommendations to consider for future
> improvements.  
> 
> 1) I noticed with the VPN import functions that they can handle cisco
> PCF files, but it doesn't fully import them the nice way kvpnc does.  I
> think that it's a conscious choice not to flaunt breaking cisco's weak
> *encryption* on their saved strings, but it would be nice if it did none
> the less.  Ibex seems to have broken Cisco's own vpn, leaving me
> stranded to get this working, so I found a blob of c code to decrypt it
> for me, which I could then manually reassemble a profile.  It'd be nice
> to see it natively import it, as simply not all the times do customers
> have (or sometimes remember) the keys outside of the grandfathered .pcf
> file from long ago.

The 0.7 release does decrypt the group passwords if present.

> Along with this hack to decrypt the key, I found some shell and perl
> code to dump a director of cisco .pcf's to vpnc .conf's, however NM
> doesn't seem to make use of these at all.  It would be nice if it could
> suck the legacy vpnc directory for import into it's secure store (I
> believe gnome-keyring..?).

NM-vpnc imports and exports cisco pcf files.

> Otherwise very sweet being able to use NM for vpn purposes to replace
> cisco's lack of decent linux support!
> 
> 2) Gnome keyring doesn't play nice when using fingerprint readers,
> namely thinkfinger libs.  Profiles won't automagically connect on boot,
> and often I have to use my password instead of a swipe.  Annoying only
> due to lack of consistency whereas it normally works without a hitch.
> I've read up on the fact that gnome keyring doesn't use pam, and hence
> cannot use the thinkfinger authentication methods, but it seems there
> should be a more graceful solution.  I'm definitely not the only person
> feeling this pain, but thus far I've not found any constructive ways to
> lessen/fix the issue.r
> 
> Since fingerprint readers are becoming more common, it seems it might be
> worth exploring a better way to eliminate the need to always auth
> outside of the login session (or consistently use fingerprints for gnome
> keyring).  I'm positive that I'm over-simplifying the problem, so feel
> free to kick me or ask for more info.  Perhaps I'm barking up the wrong
> tree, and should blame the gnome keyring dev's instead, but since you've
> chosen to use its use for NM, it stands to reason you might want to look
> at cleaning up an ugly loose-end to an otherwise stellar product.  I'd
> be happy to provide debugging info to assist if needed.

The keyring needs a rethink, yeah, especially in light of smartcards and
biometric methods.  The solution to swiping your finger is to make it a
system connection available to all users though, or to unlock your
keyring when you log in with pam_keyring or the like.  I'm not sure if
Ubuntu ships pam_keyring, but it works OK on Fedora.

> 3) Dialup support is gone now?  Dialup is so 90's now, but unfortunately
> bluetooth DUN is still alive and kicking.  However, I couldn't seem to
> find a way to use this in NM currently, nor could I find any way to
> enable it.  Am I missing something here to enable it, or was it just
> simply (finally) removed and to be considered legacy?  Seems there'd
> still be a lot of people stuck using traditional dialup to abandon them
> entirely...

The "dialup" support in NM was simply a menu shortcut for the distro
native scripts to ifup / ifdown the connection, and was in no way
integrated into NetworkManager itself.  Hence one of *the* most
requested features was for integrated 3G support so that people could
use the NM VPN plugins with mobile broadband.

Integrated mobile broadband was a design target of 0.7, and bluetooth
(DUN and likely PAN) are design targets of the next version of
NetworkManager, which certainly won't take two years to come out.  In
the mean time, connecting the phone via USB is an option, and probably
saves you battery life on the phone too :)

Cheers,
Dan

> I've always written my own scripts/confs for wpa_supplicant for
> connecting to various wifi profiles as NM has never quite worked
> properly for me, but its nice to see it's really almost there a good
> solution.  Nice it even worked with my vzw aircard flawlessly!  Thanks
> for the hard work in making NM a large part of linux mainstream
> adoption!
> 
> -mb
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list