Re: vpnc System-wide settings



I made a small patch against network-manager-vpnc to lookup into gconf for group password during auth phase. With this patch I'm able to provide shared configuration for vpn (including group password), user just need to provide its own password.

Laurent Goujon
----- Mail Original -----
De: "Dan Williams" <dcbw redhat com>
À: "Laurent Goujon" <laurent goujon online fr>
Cc: networkmanager-list gnome org
Envoyé: Lundi 13 Juillet 2009 20:17:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: vpnc System-wide settings

On Mon, 2009-07-13 at 11:27 +0200, Laurent Goujon wrote:
> Ok, I think I have the overall idea... the nm applet wraps user connections in order to intercept activation and provides username and password. I'm tempted to do something similar to system connections. Good idea?

So system settings are interesting WRT VPNs.  The point of system
settings is to be available *before* login and across
fast-user-switches.  As such, they aren't a great fit for user-specific
VPNs.  They would be for say certificate-based OpenVPN connections or
point-to-point VPNs between two servers, say.

It seems like what you really want to do is to add some GConf
"mandatory" settings that contain the connection details.  I can't think
of anything that would be user-specific, so you'd add them once in your
initial login sequence for the user.

These wouldn't be able to be changed by the user (since they are
mandatory, only root can change them), but the user would still be asked
for the password when they logged in.  Since you're using tokens, you'll
want to set the "Always Ask" option for the user password.

Dan

> Laurent
> ----- Mail Original -----
> De: "Laurent Goujon" <laurent goujon online fr>
> À: networkmanager-list gnome org
> Envoyé: Vendredi 10 Juillet 2009 18:03:03 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> Objet: vpnc System-wide settings
> 
> Hi,
> 
> I'm trying to put in place system-wide settings for vpn(c). The idea is that an user has nothing to configure, he just has to check under VPN connections and click on one of the available connections. The user should just be prompted for (possibly) his username and his password.
> 
> So far, I managed to create configuration files and by placing them under /etc/NetworkManager/system-connections/ to make them appear. Unfortunately I'm unable to make them work. If I don't put Xauth username = <username> into the config file, NetworkManager/vpnc manager complains that this config setting is lacking (and after some debugging it appears that default username is simply NULL), and if I force this settings, it is Xauth password which is missing (although I set into the configfile that it should be asked to the user). That become problematic since I use rsa tokens (so password is different each time).
> 
> I suspect that since these are system-wide connections, they shouldn't depend of user informations, am i right? Any way to extend system configuration to support user interaction? Or a way to quickly import vpn configuration into user profile? 
> 
> Thanks in advance,
> 
> Laurent Goujon
> 
> System config:
> NetworkManager 0.7.0.99 on RHEL5
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list

--- NetworkManager-vpnc-0.7.1/auth-dialog/main.c.orig	2009-07-14 15:38:11.000000000 +0200
+++ NetworkManager-vpnc-0.7.1/auth-dialog/main.c	2009-07-14 15:39:40.000000000 +0200
@@ -41,6 +41,7 @@
 #define KEYRING_UUID_TAG "connection-uuid"
 #define KEYRING_SN_TAG "setting-name"
 #define KEYRING_SK_TAG "setting-key"
+#define VPN_SECRETS_SETTING_NAME "vpn-secrets"
 
 static char *
 find_connection_path (const char *vpn_uuid)
@@ -240,11 +241,11 @@
 get_connection_info (const char *vpn_uuid,
                      char **out_name,
                      char **out_upw_type,
+                     char **out_gpw,
                      char **out_gpw_type)
 {
 	char *key, *str;
 	char *connection_path = NULL;
-	char *upw_type = NULL, *gpw_type = NULL;
 	GConfClient *gconf_client;
 
 	connection_path = find_connection_path (vpn_uuid);
@@ -263,12 +264,24 @@
 	                       NM_VPNC_KEY_XAUTH_PASSWORD_TYPE);
 	*out_upw_type = gconf_client_get_string (gconf_client, key, NULL);
 	g_free (key);
-
+    
+	str = gconf_escape_key(NM_VPNC_KEY_SECRET, -1);
 	key = g_strdup_printf ("%s/%s/%s", connection_path,
-	                       NM_SETTING_VPN_SETTING_NAME,
-	                       NM_VPNC_KEY_SECRET_TYPE);
-	*out_gpw_type = gconf_client_get_string (gconf_client, key, NULL);
+	                       VPN_SECRETS_SETTING_NAME,
+	                       str);
+	g_free(str);
+	*out_gpw = gconf_client_get_string (gconf_client, key, NULL);
 	g_free (key);
+
+	if (*out_gpw)
+        *out_gpw_type = g_strdup (NM_VPNC_PW_TYPE_UNUSED);
+	else { 
+		key = g_strdup_printf ("%s/%s/%s", connection_path,
+	                           NM_SETTING_VPN_SETTING_NAME,
+	                           NM_VPNC_KEY_SECRET_TYPE);
+		*out_gpw_type = gconf_client_get_string (gconf_client, key, NULL);
+		g_free (key);
+	}
 	
 	g_free (connection_path);
 	g_object_unref (gconf_client);
@@ -281,7 +294,7 @@
 	gboolean retry = FALSE;
 	char *vpn_name = NULL, *vpn_uuid = NULL, *vpn_service = NULL;
 	char *ignored;
-	char *password = NULL, *group_password = NULL;
+	char *password = NULL, *group_password = NULL, *group_password_gconf = NULL;
 	char *upw_type = NULL, *gpw_type = NULL;
 	char buf[1];
 	int ret;
@@ -321,8 +334,9 @@
 		return 1;
 	}
 
-	if (!get_connection_info (vpn_uuid, &vpn_name, &upw_type, &gpw_type)) {
+	if (!get_connection_info (vpn_uuid, &vpn_name, &upw_type, &group_password_gconf, &gpw_type)) {
 		g_free (upw_type);
+		g_free (group_password_gconf);
 		g_free (gpw_type);
 		fprintf (stderr, "This VPN connection '%s' (%s) could not be found in GConf.",
 		         vpn_name ? vpn_name : "(unknown)", vpn_uuid);
@@ -340,7 +354,9 @@
 	/* dump the passwords to stdout */
 	if (password)
 		printf ("%s\n%s\n", NM_VPNC_KEY_XAUTH_PASSWORD, password);
-	if (group_password)
+    if (group_password_gconf)
+		printf ("%s\n%s\n", NM_VPNC_KEY_SECRET, group_password_gconf);
+	else if (group_password)
 		printf ("%s\n%s\n", NM_VPNC_KEY_SECRET, group_password);
 	printf ("\n\n");
 
@@ -352,6 +368,10 @@
 		memset (group_password, 0, strlen (group_password));
 		gnome_keyring_memory_free (group_password);
 	}
+	if (group_password_gconf) {
+		memset (group_password_gconf, 0, strlen (group_password_gconf));
+		g_free (group_password_gconf);
+	}
 
 	/* for good measure, flush stdout since Kansas is going Bye-Bye */
 	fflush (stdout);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]