Dan, I finally got something together, following some of the ideas you pointed out. I've also done a slight change to the auth dialog to not show the passwords that are already known in the keyring, unless it's in a "reprompt" situation (although I haven't been able to test it without manually calling nm-vpnc-auth-dialog...), and to always prompt for a password that is marked as "otp" although it may already be saved in the keyring. It's a pretty crude patch, I realize it will need some rework, but if someone could test it out and let me know what parts to look at.. :) Right now, I really don't think the "unused" cases work properly, but I'm still looking into it -- I just don't have an easy way to test that case. Patch is attached, one gziped file and one .patch: 01-password-types.patch.gz 01-vpnc-auth-password-types.patch / Matt On Sun, Oct 12, 2008 at 10:04 PM, Dan Williams <dcbw redhat com> wrote: > On Sat, 2008-10-11 at 11:22 -0400, Mathieu Trudel-Lapierre wrote: >> Dan, >> >> Actually one other little question. How much use do you think there is >> for this kind of feature? Do you regularly hear about this, or is it >> more a user here and there? > > There are open bug reports for both of these and I've heard about > interactive auth mode and hybrid auth support from a number of people. > It was certainly on my list to do when I had the time. But hey, if > patches show up first... :) > > Dan > >> / Matt >> >> On Thu, Oct 9, 2008 at 12:05 PM, Dan Williams <dcbw redhat com> wrote: >> > On Thu, 2008-10-09 at 09:15 -0400, Mathieu Trudel-Lapierre wrote: >> >> Hi, >> >> >> >> First, my apologies for pushing for this, since I believe the >> >> interested parties are probably already notified through bugzilla on >> >> this... >> > >> > So the reason this didn't get merged in the first place is that when >> > this is used, the auth dialog looks like ass. Having _3_ buttons there >> > has confused every user I've ever seen, and makes me read things a few >> > times whenever I get the dialog. It's just bad UI. Plus, it's not >> > something you can change in the connection editor out-of-band from >> > authentication. That's not to say it doesn't fill a need and fix the >> > bug, but the solution is not one I'd like to have upstream. >> > >> > Instead, we need a better solution. We have two passwords, the user >> > password and the group password. Each password has 3 different types: >> > >> > u s e r >> > | static | unused | OTP >> > ------|----------|----------|------ >> > g static| Y | Y | Y >> > r ------|----------|----------|------ >> > o unused| Y | X | ? >> > u ------|----------|----------|------ >> > p OTP | Y | Y | ? >> > ------|----------|----------|------ >> > >> > Legend: >> > Y = I've heard of it being used >> > X = Pointless >> > ? = I don't know if this is used by anyone >> > >> > The cases where you don't want to save passwords in the keyring are the >> > OTP/RSA and the "unused" cases. >> > >> > Here's my solution: for each of the group and user password entries, >> > have a small popup menu behind each on in the main config dialog like >> > so: >> > >> > .------------------------. .------------. >> > User Password: | i4mvrl1337&^% | | Default |V| >> > `------------------------' `------------' >> > .------------------------. .------------. >> > Group Password: | my-GrOuP-PassWORD | | Default |V| >> > `------------------------' `------------' >> > >> > Where the combo box has the following items: >> > >> > Default (ie, static password that rarely changes) >> > Interactive (ie, RSA dongles) >> > Unused (ie, no password required and nothing saved to keyring) >> > >> > It always defaults to "Default" (ie, static) so most peoples configs >> > will work, but you have to option to change it for your config. >> > >> > Note that Interactive authentication can't be used yet anyway because we >> > don't support challenge-based authentication that it requires, which >> > will come after 0.7 when I can rework the VPN cleanup patch I've talked >> > about before, and will require >> > >> > If somebody came up with the UI patch to do this, that would be awesome >> > and I'd commit it. It would additionally mean adding two keys to the >> > vpnc plugin's GConf data (user-password-type and group-password-type) >> > which would then have to be added to the nm-vpnc-service's validation >> > code and used internally if required, but that's pretty easy. These >> > keys would store the password type (as a string) so that the auth dialog >> > would know when to save which passwords and which password entry widgets >> > to disable/desensitize when the user had selected "unused". >> > >> > Thoughts? >> > >> > Next, we get to add authentication types to the client to support Hybrid >> > Auth mode. Not sure if you can use all the normal Xauth stuff (like >> > interactive) with the hybrid auth mode as well, but I have to assume you >> > can. >> > >> > Dan >> > >> > >> >> >> > > -- Mathieu Trudel mathieu tl gmail com
Attachment:
01-password-types.patch.gz
Description: GNU Zip compressed data
Index: network-manager-applet-0.7~~svn20081020t000444/src/vpn-password-dialog.c =================================================================== --- network-manager-applet-0.7~~svn20081020t000444.orig/src/vpn-password-dialog.c 2008-10-21 20:35:47.000000000 -0400 +++ network-manager-applet-0.7~~svn20081020t000444/src/vpn-password-dialog.c 2008-10-21 20:36:45.000000000 -0400 @@ -164,6 +164,8 @@ "-u", NULL /*"2a5d52b5-95b4-4431-b96e-3dd46128f9a7"*/, "-n", NULL /*"davidznet42"*/, "-s", NULL /*"org.freedesktop.vpnc"*/, + "-p", NULL /*"otp"*/, + "-g", NULL /*"unused"*/, "-r", NULL }; @@ -180,6 +182,8 @@ gboolean success = FALSE; GError *error = NULL; NMConnection *connection; + char *upw_type = NULL; + char *gpw_type = NULL; g_return_val_if_fail (NM_IS_EXPORTED_CONNECTION (exported), FALSE); @@ -203,13 +207,18 @@ goto out; } + upw_type = g_hash_table_lookup (s_vpn->data, NM_VPNC_KEY_UPW_TYPE); + gpw_type = g_hash_table_lookup (s_vpn->data, NM_VPNC_KEY_GPW_TYPE); + /* Fix up parameters with what we got */ argv[0] = auth_dialog_binary; argv[2] = s_con->uuid; argv[4] = s_con->id; argv[6] = s_vpn->service_type; + argv[8] = upw_type; + argv[10] = gpw_type; if (!retry) - argv[7] = NULL; + argv[11] = NULL; child_status = -1; Index: network-manager-applet-0.7~~svn20081020t000444/src/vpn-password-dialog.h =================================================================== --- network-manager-applet-0.7~~svn20081020t000444.orig/src/vpn-password-dialog.h 2008-10-21 20:31:53.000000000 -0400 +++ network-manager-applet-0.7~~svn20081020t000444/src/vpn-password-dialog.h 2008-10-21 20:35:47.000000000 -0400 @@ -22,6 +22,9 @@ #ifndef VPN_PASSWORD_DIALOG_H #define VPN_PASSWORD_DIALOG_H +#define NM_VPNC_KEY_UPW_TYPE "user-password-mode" +#define NM_VPNC_KEY_GPW_TYPE "group-password-mode" + #include <glib.h> #include <dbus/dbus-glib.h> #include <nm-settings.h>