Dan Williams escribío:
On Wed, 2008-05-14 at 12:19 -0500, Brian Millett wrote:Dan Williams escribío:Ok, so I was given a pcf file with the obfuscated group secret in it. I need to add it to the gnome keyring or the gpg keyring? Or do I just put in the long obfuscated secret in the group password field and check that it be saved in the keyring?On Wed, 2008-05-14 at 11:46 -0400, Matthew Saltzman wrote:On Tue, 2008-05-13 at 18:23 -0500, Brian Millett wrote:Dan Williams escribío:On Tue, 2008-05-13 at 15:58 -0500, Brian Millett wrote:Fedora 8, NetworkManager-devel-0.7.0-0.6.7.svn3370.fc8 NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8 NetworkManager-glib-0.7.0-0.6.7.svn3370.fc8 NetworkManager-gnome-0.7.0-0.6.7.svn3370.fc8 NetworkManager-openvpn-0.7.0-8.svn3302.fc8 NetworkManager-glib-devel-0.7.0-0.6.7.svn3370.fc8 NetworkManager-0.7.0-0.6.7.svn3370.fc8I have a vpnc configuration I need to setup. It has a "IPSec obfuscated secret" for the group password.The old vpn connection were defined in the .gconf/system/networking/vpn_connections but where are the connections defined now?They are normal connections in /system/networking/connections just like wifi, ethernet, cdma, gsm, etc are.Cool! Still via configuration editor. Any way of knowing what number corresponds to which connection?Ok, so how do I enable the ability to edit the connection? I can see the connections in the "Edit connections", but the only item available to click is "Delete".How do I edit the configurations?You can still use the VPN connection editor, available from the applet menu.Are the conf files in /etc/vpnc referenced?No, because VPN connections are currently per-user, though with the keyfile system settings plugin there's no reason they couldn't be system-wide as well.A couple related questions: (1) If I want to add DPD idle timeout (our side) 0 what do I need to name the key in gconf? The gconf editor complains about the parentheses.The name of the item in GConf is the exact string passed to vpnc as a configuration option. You'll need to GConf-escape the parentheses. GConf uses the @ symbol as the escape, so you want to convert the characters to be escaped to decimal, then put that number between two @ symbols, like so: My Option -->>> My 32@Option(2) Can the obfuscated secret be stored in the keyring? If so, how? If not, how can I get it to be used instead of the group password in the keyring?At least vpnc can decrypt the obfuscated group secret these days. But since it's not really the password, we should store it differently in the keyring than the password we store the group password. We do have a number of different issues here with the group password: 1) You're given the cleartext group password 2) You're given a pcf file with obfuscated group password 3) You're using OTP for the group password with tokens or whatever The first two need to get saved in the keyring. The third doesn't get saved in the keyring and gets asked for every time. I don't see a big problem with adding support to the vpnc connector to accept the obfuscated secret, but the big issue is going to be that it's going to add yet another edit box somewhere. That's not really helpful, I don't think. Do you have any idea if the obfuscated secrets are all the same length so perhaps we could auto-detect based on string length? Any good hash algorithm is going to generate stable-length results.I also added to the %gconf.xml for the vpn-properties of that connection:<entry name="IPSec 32@obfuscated 32@secret" mtime="1210720857" type="string"> <stringvalue>9B5EA67-(cut)-F48CEF</stringvalue></entry>Well, currently the obfuscated password isn't supported because that config option is not allowed through to the VPN daemon. You could for the time being decrypt the obfuscated secret. http://svn.unix-ag.uni-kl.de/vpnc/trunk/cisco-decrypt.c for example should be included in the vpnc sources and built with vpnc, and will decrypt it for you.
SWEET!!!! Thanks. with that, I decrypted the password and can now connect!. Many thanks. -- Brian Millett - [ Babylon Control and Delenn, "Babylon Squared"] "Are you sure you don't require a pilot, Ambassador?" 'Quite sure. Some things one must do alone.'
Attachment:
signature.asc
Description: OpenPGP digital signature