Re: vpnc System-wide settings



I'm aware of this, that's why I only did that for group password. For me group password is part of the configuration since it's a shared secret amongst all vpn users, is chosen and updated by admin, unlike user password. On most system this password is accesible from all users.
On the other side, gnome-keyring doesn't seem to provide (yet) simple utilities to populate/update user keyring and it means at each login, connect to keyring, check/update keyring...

Maybe this patch is only useful for my particular case, but it's not that bad: I took pleasure hacking network-manager :)

Laurent
----- Mail Original -----
De: "Dan Williams" <dcbw redhat com>
À: "Laurent Goujon" <laurent goujon online fr>
Cc: networkmanager-list gnome org
Envoyé: Mardi 14 Juillet 2009 21:17:02 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: vpnc System-wide settings

On Tue, 2009-07-14 at 16:09 +0200, Laurent Goujon wrote:
> I made a small patch against network-manager-vpnc to lookup into gconf for group password during auth phase. With this patch I'm able to provide shared configuration for vpn (including group password), user just need to provide its own password.

The problem with that though is that you've just bypassed the keyring
which stores secrets securely.  If you store it in GConf, they are in
the clear and accessible to any program running as the user.  Which is
why secrets don't get stored in GConf in the first place.  TBH the best
mechanism is to run a script on login to install the secret into the
users' keyrings.

Dan

> Laurent Goujon
> ----- Mail Original -----
> De: "Dan Williams" <dcbw redhat com>
> À: "Laurent Goujon" <laurent goujon online fr>
> Cc: networkmanager-list gnome org
> Envoyé: Lundi 13 Juillet 2009 20:17:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> Objet: Re: vpnc System-wide settings
> 
> On Mon, 2009-07-13 at 11:27 +0200, Laurent Goujon wrote:
> > Ok, I think I have the overall idea... the nm applet wraps user connections in order to intercept activation and provides username and password. I'm tempted to do something similar to system connections. Good idea?
> 
> So system settings are interesting WRT VPNs.  The point of system
> settings is to be available *before* login and across
> fast-user-switches.  As such, they aren't a great fit for user-specific
> VPNs.  They would be for say certificate-based OpenVPN connections or
> point-to-point VPNs between two servers, say.
> 
> It seems like what you really want to do is to add some GConf
> "mandatory" settings that contain the connection details.  I can't think
> of anything that would be user-specific, so you'd add them once in your
> initial login sequence for the user.
> 
> These wouldn't be able to be changed by the user (since they are
> mandatory, only root can change them), but the user would still be asked
> for the password when they logged in.  Since you're using tokens, you'll
> want to set the "Always Ask" option for the user password.
> 
> Dan
> 
> > Laurent
> > ----- Mail Original -----
> > De: "Laurent Goujon" <laurent goujon online fr>
> > À: networkmanager-list gnome org
> > Envoyé: Vendredi 10 Juillet 2009 18:03:03 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
> > Objet: vpnc System-wide settings
> > 
> > Hi,
> > 
> > I'm trying to put in place system-wide settings for vpn(c). The idea is that an user has nothing to configure, he just has to check under VPN connections and click on one of the available connections. The user should just be prompted for (possibly) his username and his password.
> > 
> > So far, I managed to create configuration files and by placing them under /etc/NetworkManager/system-connections/ to make them appear. Unfortunately I'm unable to make them work. If I don't put Xauth username = <username> into the config file, NetworkManager/vpnc manager complains that this config setting is lacking (and after some debugging it appears that default username is simply NULL), and if I force this settings, it is Xauth password which is missing (although I set into the configfile that it should be asked to the user). That become problematic since I use rsa tokens (so password is different each time).
> > 
> > I suspect that since these are system-wide connections, they shouldn't depend of user informations, am i right? Any way to extend system configuration to support user interaction? Or a way to quickly import vpn configuration into user profile? 
> > 
> > Thanks in advance,
> > 
> > Laurent Goujon
> > 
> > System config:
> > NetworkManager 0.7.0.99 on RHEL5
> > _______________________________________________
> > NetworkManager-list mailing list
> > NetworkManager-list gnome org
> > http://mail.gnome.org/mailman/listinfo/networkmanager-list
> > _______________________________________________
> > NetworkManager-list mailing list
> > NetworkManager-list gnome org
> > http://mail.gnome.org/mailman/listinfo/networkmanager-list
> 
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]