Re: Wireless Keys stored unencrypted?



On Tue, Jun 21, 2011 at 8:03 PM, Darren Albers <dalbers gmail com> wrote:
> On Tue, Jun 21, 2011 at 7:24 PM, Darren Albers <dalbers gmail com> wrote:
>> On Tue, Jun 21, 2011 at 12:27 PM, Jirka Klimes <jklimes redhat com> wrote:
>>> On Tuesday 21 of June 2011 14:04:58 Darren Albers wrote:
>>>> On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <dcbw redhat com> wrote:
>>>> > On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
>>>> >> Hi
>>>> >>
>>>> >> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com> wrote:
>>>> >> > While doing some research I noticed that wireless keys are located
>>>> >> > unencrypted in /etc/sysconfig/network-scripts  It even does this when
>>>> >> > I set the wireless to not be a system-connection.   It used to be that
>>>> >> > wireless keys were stored in the keyring which seems much safer to me
>>>> >> > than storing them locally unencrypted.
>>>> >>
>>>> >> interesting, I am not an nm developer but this seems to stem from
>>>> >> keyfile plugin and relies on file selinux label/permission for
>>>> >> protection.
>>>> >>
>>>> >> I also do not  see an option to not save the password.
>>>> >
>>>> > Correct, the passwords are not encrypted because there is no user
>>>> > available to provide passwords.  The passwords are, however, only
>>>> > visible too 'root' and thus should be protected; if your root user is
>>>> > compromised you're hosed.  This is also how existing system have worked
>>>> > for years, so NM certainly isn't a regression here.
>>>> >
>>>> > You can also opt to keep your secrets in the user keyring, which is
>>>> > accomplished by "secret flags".  For example, if you set 'psk-flags=0x1'
>>>> > in the keyfile for a WPA-PSK connection, then NM will ask a user agent
>>>> > (like nm-applet) for the password instead of keeping it in /etc.  This
>>>> > option is only exposed for 802.1x and LEAP passwords though (via the
>>>> > "Always ask for this password" checkbox) because only those password
>>>> > types are really personal passwords; a WPA-PSK or WEP key really isn't
>>>> > personal.
>>>> >
>>>> > VPN connections also default to having secrets owned by the user's
>>>> > session in a keyring.
>>>> >
>>>> > Dan
>>>>
>>>> Thank you Dan!   It sounds like I am incorrect but I used to recall
>>>> that if a connection was not a system connection that the key would be
>>>> stored in the keyring and that was the default.  Is that not the case
>>>> any longer?
>>>>
>>>
>>> With NM 0.9 we get rid of user connections, so we have just system connections
>>> (stored and managed by NM itself). And connection visibility only for some
>>> users is obtained via permissions in every connection (see USERS= in ifcfg
>>> files).
>>> As far as secrets are concerned, there are now "Secret Propery Flags" flags
>>> saying where the password is stored; see
>>> http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-
>>> flags.html
>>> By default, secrets are stored by NM (flag 0x00). But, as Dan said, for certain
>>> connection types (like VPN), the password is rather stored by the client (in a
>>> keyring) by default.
>>>
>>> Jirka
>>>
>>
>> Jirka,
>>
>> Thank you for the detailed reply, so if I want to tell NM to store my
>> password as Agent-Owned for my wpa-psk connection how would I do that?
>>  I tried playing with the various ifcfg settings for my wireless and
>> nothing I did seemed to force it to use the option 0x1 to ask the
>> agent.   Should this setting be placed in the keyfile or in ifcfg?
>> The link you sent indicates the dbus commands to send which don't seem
>> to match up with the options in either the keyfile or ifcfg so I even
>> tried psk_flags and psk-flags and similar variations.   The
>> documentation has this:
>> psk-flags  uint32  0    Flags indicating how to handle the WPA PSK key.
>> (see the section called “Secret flag types” for flag values)
>>
>> I assume that is the correct attribute to set?
>>
>> Thank you!
>>
>
> Ok I think I figured out the keyfile format via a bit of trial and
> error.   Sorry for the noise!
>

So I was able to configure it to prompt for a wireless password each
time but I haven't had much luck with telling it to store it in the
keyring.   Can someone look this over and let me know if I have done
something wrong?

Thanks!



[connection]
id=XXXXXXX
uuid=365b23ac-1f43-4850-8074-e7407ecdbb6b
type=802-11-wireless
permissions=user:username:;

[802-11-wireless]
ssid=XXXXXXX
security=802-11-wireless-security

[802-11-wireless-security]
key-mgmt=wpa-psk
psk-flags=1

[ipv4]
method=auto


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]