Re: NetworkManager-vpnc config help

[Dan Williams <dcbw redhat com>]

On Wed, 2008-05-14 at 11:46 -0400, Matthew Saltzman wrote:
> On Tue, 2008-05-13 at 18:23 -0500, Brian Millett wrote:
> > Dan Williams escribío:
> > > On Tue, 2008-05-13 at 15:58 -0500, Brian Millett wrote:
> > >> Fedora 8,
> > >> NetworkManager-devel-0.7.0-0.6.7.svn3370.fc8
> > >> NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8
> > >> NetworkManager-glib-0.7.0-0.6.7.svn3370.fc8
> > >> NetworkManager-gnome-0.7.0-0.6.7.svn3370.fc8
> > >> NetworkManager-openvpn-0.7.0-8.svn3302.fc8
> > >> NetworkManager-glib-devel-0.7.0-0.6.7.svn3370.fc8
> > >> NetworkManager-0.7.0-0.6.7.svn3370.fc8
> > >>
> > >> I have a vpnc configuration I need to setup.  It has a "IPSec obfuscated secret" for the 
> > >> group password.
> > >>
> > >> The old vpn connection were defined in the .gconf/system/networking/vpn_connections but 
> > >> where are the connections defined now?
> > > 
> > > They are normal connections in /system/networking/connections just like
> > > wifi, ethernet, cdma, gsm, etc are.
> > 
> > Cool!  Still via configuration editor.
> > 
> > Any way of knowing what number corresponds to which connection?
> > 
> > >> How do I edit the configurations?
> > > 
> > > You can still use the VPN connection editor, available from the applet
> > > menu.
> > 
> > Ok, so how do I enable the ability to edit the connection?  I can see the connections in 
> > the "Edit connections", but the only item available to click is "Delete".
> > 
> > >> Are the conf files in /etc/vpnc referenced?
> > > 
> > > No, because VPN connections are currently per-user, though with the
> > > keyfile system settings plugin there's no reason they couldn't be
> > > system-wide as well.
> > > 
> 
> A couple related questions:
> 
> (1) If I want to add
> 
>         DPD idle timeout (our side) 0
> 
> what do I need to name the key in gconf?  The gconf editor complains
> about the parentheses.

The name of the item in GConf is the exact string passed to vpnc as a
configuration option.  You'll need to GConf-escape the parentheses.
GConf uses the @ symbol as the escape, so you want to convert the
characters to be escaped to decimal, then put that number between two @
symbols, like so:

My Option -->>>  My 32@Option

> (2) Can the obfuscated secret be stored in the keyring?  If so, how?  If
> not, how can I get it to be used instead of the group password in the
> keyring?

At least vpnc can decrypt the obfuscated group secret these days.  But
since it's not really the password, we should store it differently in
the keyring than the password we store the group password.

We do have a number of different issues here with the group password:

1) You're given the cleartext group password
2) You're given a pcf file with obfuscated group password
3) You're using OTP for the group password with tokens or whatever

The first two need to get saved in the keyring.  The third doesn't get
saved in the keyring and gets asked for every time.  I don't see a big
problem with adding support to the vpnc connector to accept the
obfuscated secret, but the big issue is going to be that it's going to
add yet another edit box somewhere.  That's not really helpful, I don't
think.  Do you have any idea if the obfuscated secrets are all the same
length so perhaps we could auto-detect based on string length?  Any good
hash algorithm is going to generate stable-length results.

> (3) Will the ability to set these features be added to the Edit
> Connections dialog in NM?  If I set them by hand, are the recognized and
> passed to vpnc by NM-vpnc?

We're going to fold the vpn properties into the connection editor, yes.
But options are still gated by the VPN service helpers, so it takes more
than just stuffing the value into GConf for it to get to vpnc.  And
while that's a pain for people needing options that the vpnc connector
doesn't yet support, it's a good thing to gate them because being able
to pass just anything to the vpnc daemon (which runs as root) is wrong.

Dan