Re: Wireless Keys stored unencrypted?

On Tue, Jun 21, 2011 at 8:04 AM, Darren Albers <dalbers gmail com> wrote:
> On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <dcbw redhat com> wrote:
>> On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
>>> Hi
>>> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com> wrote:
>>> > While doing some research I noticed that wireless keys are located
>>> > unencrypted in /etc/sysconfig/network-scripts  It even does this when
>>> > I set the wireless to not be a system-connection.   It used to be that
>>> > wireless keys were stored in the keyring which seems much safer to me
>>> > than storing them locally unencrypted.
>>> interesting, I am not an nm developer but this seems to stem from keyfile plugin
>>> and relies on file selinux label/permission for protection.
>>> I also do not  see an option to not save the password.
>> Correct, the passwords are not encrypted because there is no user
>> available to provide passwords.  The passwords are, however, only
>> visible too 'root' and thus should be protected; if your root user is
>> compromised you're hosed.  This is also how existing system have worked
>> for years, so NM certainly isn't a regression here.
>> You can also opt to keep your secrets in the user keyring, which is
>> accomplished by "secret flags".  For example, if you set 'psk-flags=0x1'
>> in the keyfile for a WPA-PSK connection, then NM will ask a user agent
>> (like nm-applet) for the password instead of keeping it in /etc.  This
>> option is only exposed for 802.1x and LEAP passwords though (via the
>> "Always ask for this password" checkbox) because only those password
>> types are really personal passwords; a WPA-PSK or WEP key really isn't
>> personal.
>> VPN connections also default to having secrets owned by the user's
>> session in a keyring.
>> Dan
> Thank you Dan!   It sounds like I am incorrect but I used to recall
> that if a connection was not a system connection that the key would be
> stored in the keyring and that was the default.  Is that not the case
> any longer?
> Thank you!


Sorry to add more questions but adding that to either the keyfile or
the ifcfg did not seem to help.   Is there a specific syntax I should
be using or possibly a man page I can look at?   I didn't see much
detail in man NetworkManager or man NetworkManager.conf

Thank you!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]