Re: network-manager-openvpn

From: Matt Wilks <matt madhaus cns utoronto ca>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: network-manager-openvpn
Date: Wed, 16 Dec 2009 14:33:10 -0500

On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote:

On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
What prompted my initial query was the lack of support for<ca>,<cert>
and<key>  directives (supported in OpenVPN since 2.1-beta7, Nov
2005).  They allow you to specify the key files directly in the
configuration file, making it a self-contained configuration for a
connection using keys to authenticate.  NetworkManager also seemed to
miss the fact that my config required both keys and a password; not
hard to manually set but it wasn't caught by the import.


I do believe those have been in the NM openvpn configuration for a
long time.  What specific version of NM-openvpn are you using?  I'm
certainly using a CA certificate right now to write this mail.  If you
pick "Certificates (TLS)" or "Passwords with Certificates" from the
dropdown you should be able to use the certificates and keys of your
choice.  This has been the case for at least a year and a half, since
before NM 0.7.x was released.


Keys are supported, but you have to specify them in the NetworkManager
config through a file browser dialog.  The <ca>, etc directives I'm
talking about go in the config file and you include the actual text of
the key, something like:

<ca>
-----BEGIN CERTIFICATE-----
asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj
dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk
fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj
-----END CERTIFICATE-----
</ca>

and so on with <cert> and <key>.  I have NM (and NM-openvpn) version 0.8
on Ubuntu Karmic and it didn't work for me.

The whitelisting is for security.  As a user, if you download a
configuration file and want to use it, what's to say it doesn't include
some options that make things less-secure or are malicious?  Depending
on the plugin you could send a config option for "run this script after
connection" and since the VPN plugins currently run as root, that script
gets run as root.  The configuration data cannot /necessarily/ be
trusted especially if it comes from the user session.  At the same time,
you don't want to /necessarily/ lock users out completely (that's the
discretion of the sysadmin if there is one).


Ah, this security concern settles it for me.  The reason that other
clients can offer the config file management paradigm is that you must
have admin privileges to run the program in the first place.  Not so
with NM.

Thanks again for your time.  Much appreciated.

--
Matt Wilks                   Colossians 2:6-7
University of Toronto        Information Security, I+TS
(416) 978-3328               matt madhaus cns utoronto ca
4 Bancroft Ave., Rm. 102     Toronto, ON  M5S 1C1

Follow-Ups:
- Re: network-manager-openvpn
  - From: Dan Williams

References:
- Re: network-manager-openvpn
  - From: Matt Wilks
- Re: network-manager-openvpn
  - From: Dan Williams
- Re: network-manager-openvpn
  - From: Matt Wilks
- Re: network-manager-openvpn
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]