Re: Wireless Keys stored unencrypted?



On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
> Hi
> 
> 
> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com> wrote:
> > While doing some research I noticed that wireless keys are located
> > unencrypted in /etc/sysconfig/network-scripts  It even does this when
> > I set the wireless to not be a system-connection.   It used to be that
> > wireless keys were stored in the keyring which seems much safer to me
> > than storing them locally unencrypted.
> 
> interesting, I am not an nm developer but this seems to stem from keyfile plugin
> and relies on file selinux label/permission for protection.
> 
> I also do not  see an option to not save the password.

Correct, the passwords are not encrypted because there is no user
available to provide passwords.  The passwords are, however, only
visible too 'root' and thus should be protected; if your root user is
compromised you're hosed.  This is also how existing system have worked
for years, so NM certainly isn't a regression here.

You can also opt to keep your secrets in the user keyring, which is
accomplished by "secret flags".  For example, if you set 'psk-flags=0x1'
in the keyfile for a WPA-PSK connection, then NM will ask a user agent
(like nm-applet) for the password instead of keeping it in /etc.  This
option is only exposed for 802.1x and LEAP passwords though (via the
"Always ask for this password" checkbox) because only those password
types are really personal passwords; a WPA-PSK or WEP key really isn't
personal.

VPN connections also default to having secrets owned by the user's
session in a keyring.

Dan




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]