Re: networkmanager need old password for keyring

[Dan Williams <dcbw redhat com>]

On Sat, 2010-05-15 at 20:09 +0200, Frederik Nnaji wrote:
> On Fri, May 14, 2010 at 08:39, Dan Williams <dcbw redhat com> wrote:
>         Hmm, sounds like a bug.  I can try to check and make sure that
>         the PIN
>         gets updated in the keyring.
> 
> 
> so what you are saying is essentially that nm won't prompt me for a
> new PIN if i insert a SIM with a different password into the same UMTS
> stick?

At this time, that's correct.  You'll want to update the PIN in the
connection editor for that connection.  We'll certainly need to do
better than this in the future and most of the infrastructure is there
in ModemManager.  What's missing is some bits in NM when the PIN is
wrong.

There are really two problems here:

1) when the PIN is wrong and the modem fails CPIN, NM should ask the
user for the PIN.  It would be nice to show the # of tries remaining,
but most modems don't give us that information.

2) Most of the time you can't get the SIM's serial # (IMSI) before
you've sent the PIN, so we don't have a good way of tying the PIN to the
specific SIM the PIN is for.  Most modems won't respond to much of
anything (including getting the SIM's IMSI) before you've sent the pin,
so it's a chicken-and-egg problem.

> 
>         > in Mobile Broadband we might want to identify the SIM card
>         on a
>         > hardware level.
>         > it doesn't make sense to believe that same ISP means same
>         PIN code.
>         
>         
>         Yes, we should tie the PIN to the SIM.  The big problem here
>         is that for
>         many devices (a lot of them actually) you can't get the IMSI
>         until
>         *after* you unlock the SIM.  Which means we can't use the IMSI
>         to look
>         up the PIN for a lot of devices like you really want.
>         
>         Dan
> 
> let's go about this differently then.
> i suggest, let it be handled like banking cards or most other pin
> codes:
> we have 3 attempts. the first two might fail, the third one can not.

Right, that's the right way to go about it.

However, note that current nm-applet and modem-manager will ask you to
enter the PIN when the card is inserted or found; this happens
immediately before you make any connection, and at this point you can't
save the PIN in that dialog.  This is because often you'll want to see
the registration status, signal strength, roaming, etc even when you're
not connected, and that's not something specific to the data connection,
but to the device before the data connection.  I've got a few ideas
about how to make this better (don't ask until the user enables the
device from the menu, try to tie the saved PIN to the IMSI if we can,
etc).

But the end result is that if your modem sucks, you'll either (a) have
to enter it every time because we can't get the IMSI before sending the
PIN, or (b) if the PIN was saved it might get entered wrong.

> 
> probe for password failure and notify about it.
> right now there's no way in userland to know if the keyring tried a
> wrong password, or how many attempts it has made with the wrong
> password.

NM should only ever make one attempt to send the PIN before failing the
connection.  There are improvements to be made to the applet bits to ask
for the PIN again here too, though you should see the "enter your PIN"
dialog when the actual connection fails.

> how about handling that first, then we could spare ourselves the IMSI
> stuff..

Yeah, though there are two places where the PIN could be entered.
First, when the device is powered up (enabled) so that you can see
signal strength and registration status.  And second, if you cancel that
PIN request, when the actual connection is made.  The proposal you have
here only covers #2 becuase that's the only place that currently makes
use of saved PINs.

Room for improvement all around, of course.

Dan