Re: network-manager-openvpn
- From: Dan Williams <dcbw redhat com>
- To: Matt Wilks <matt madhaus cns utoronto ca>
- Cc: networkmanager-list gnome org
- Subject: Re: network-manager-openvpn
- Date: Wed, 16 Dec 2009 11:53:55 -0800
On Wed, 2009-12-16 at 14:33 -0500, Matt Wilks wrote:
> > On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote:
> >> On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
> >> What prompted my initial query was the lack of support for<ca>,<cert>
> >> and<key> directives (supported in OpenVPN since 2.1-beta7, Nov
> >> 2005). They allow you to specify the key files directly in the
> >> configuration file, making it a self-contained configuration for a
> >> connection using keys to authenticate. NetworkManager also seemed to
> >> miss the fact that my config required both keys and a password; not
> >> hard to manually set but it wasn't caught by the import.
> >
> > I do believe those have been in the NM openvpn configuration for a
> > long time. What specific version of NM-openvpn are you using? I'm
> > certainly using a CA certificate right now to write this mail. If you
> > pick "Certificates (TLS)" or "Passwords with Certificates" from the
> > dropdown you should be able to use the certificates and keys of your
> > choice. This has been the case for at least a year and a half, since
> > before NM 0.7.x was released.
>
> Keys are supported, but you have to specify them in the NetworkManager
> config through a file browser dialog. The <ca>, etc directives I'm
> talking about go in the config file and you include the actual text of
> the key, something like:
>
> <ca>
> -----BEGIN CERTIFICATE-----
> asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj
> dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk
> fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj
> -----END CERTIFICATE-----
> </ca>
>
> and so on with <cert> and <key>. I have NM (and NM-openvpn) version 0.8
> on Ubuntu Karmic and it didn't work for me.
Aha, yes that is not yet supported; it wouldn't be too hard to grab the
data out of there and stuff it into its own file in ~/.pki or such; you
don't really want to be storing certificate data in GConf or elsewhere.
In the end, we need a certificate store like Windows or Mac OS X has,
but for now we'll need to use files I guess.
One caveat is to ensure that the user's private key is written out in
encrypted form if it's not already encrypted in the config.
Dan
> > The whitelisting is for security. As a user, if you download a
> > configuration file and want to use it, what's to say it doesn't include
> > some options that make things less-secure or are malicious? Depending
> > on the plugin you could send a config option for "run this script after
> > connection" and since the VPN plugins currently run as root, that script
> > gets run as root. The configuration data cannot /necessarily/ be
> > trusted especially if it comes from the user session. At the same time,
> > you don't want to /necessarily/ lock users out completely (that's the
> > discretion of the sysadmin if there is one).
>
> Ah, this security concern settles it for me. The reason that other
> clients can offer the config file management paradigm is that you must
> have admin privileges to run the program in the first place. Not so
> with NM.
>
> Thanks again for your time. Much appreciated.
>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
