Re: network-manager-openvpn

On Wed, 2009-12-16 at 14:33 -0500, Matt Wilks wrote:
> > On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote:
> >> On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
> >> What prompted my initial query was the lack of support for<ca>,<cert>
> >> and<key>  directives (supported in OpenVPN since 2.1-beta7, Nov
> >> 2005).  They allow you to specify the key files directly in the
> >> configuration file, making it a self-contained configuration for a
> >> connection using keys to authenticate.  NetworkManager also seemed to
> >> miss the fact that my config required both keys and a password; not
> >> hard to manually set but it wasn't caught by the import.
> >
> > I do believe those have been in the NM openvpn configuration for a
> > long time.  What specific version of NM-openvpn are you using?  I'm
> > certainly using a CA certificate right now to write this mail.  If you
> > pick "Certificates (TLS)" or "Passwords with Certificates" from the
> > dropdown you should be able to use the certificates and keys of your
> > choice.  This has been the case for at least a year and a half, since
> > before NM 0.7.x was released.
> Keys are supported, but you have to specify them in the NetworkManager
> config through a file browser dialog.  The <ca>, etc directives I'm
> talking about go in the config file and you include the actual text of
> the key, something like:
> <ca>
> asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj
> dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk
> fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj
> </ca>
> and so on with <cert> and <key>.  I have NM (and NM-openvpn) version 0.8
> on Ubuntu Karmic and it didn't work for me.

Aha, yes that is not yet supported; it wouldn't be too hard to grab the
data out of there and stuff it into its own file in ~/.pki or such; you
don't really want to be storing certificate data in GConf or elsewhere.

In the end, we need a certificate store like Windows or Mac OS X has,
but for now we'll need to use files I guess.

One caveat is to ensure that the user's private key is written out in
encrypted form if it's not already encrypted in the config.


> > The whitelisting is for security.  As a user, if you download a
> > configuration file and want to use it, what's to say it doesn't include
> > some options that make things less-secure or are malicious?  Depending
> > on the plugin you could send a config option for "run this script after
> > connection" and since the VPN plugins currently run as root, that script
> > gets run as root.  The configuration data cannot /necessarily/ be
> > trusted especially if it comes from the user session.  At the same time,
> > you don't want to /necessarily/ lock users out completely (that's the
> > discretion of the sysadmin if there is one).
> Ah, this security concern settles it for me.  The reason that other
> clients can offer the config file management paradigm is that you must
> have admin privileges to run the program in the first place.  Not so
> with NM.
> Thanks again for your time.  Much appreciated.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]