Re: Wireless Keys stored unencrypted?
- From: Darren Albers <dalbers gmail com>
- To: Dan Williams <dcbw redhat com>
- Cc: network manager <networkmanager-list gnome org>
- Subject: Re: Wireless Keys stored unencrypted?
- Date: Tue, 21 Jun 2011 10:37:44 -0400
On Tue, Jun 21, 2011 at 8:04 AM, Darren Albers <dalbers gmail com> wrote:
> On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <dcbw redhat com> wrote:
>> On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
>>> Hi
>>>
>>>
>>> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com> wrote:
>>> > While doing some research I noticed that wireless keys are located
>>> > unencrypted in /etc/sysconfig/network-scripts It even does this when
>>> > I set the wireless to not be a system-connection. It used to be that
>>> > wireless keys were stored in the keyring which seems much safer to me
>>> > than storing them locally unencrypted.
>>>
>>> interesting, I am not an nm developer but this seems to stem from keyfile plugin
>>> and relies on file selinux label/permission for protection.
>>>
>>> I also do not see an option to not save the password.
>>
>> Correct, the passwords are not encrypted because there is no user
>> available to provide passwords. The passwords are, however, only
>> visible too 'root' and thus should be protected; if your root user is
>> compromised you're hosed. This is also how existing system have worked
>> for years, so NM certainly isn't a regression here.
>>
>> You can also opt to keep your secrets in the user keyring, which is
>> accomplished by "secret flags". For example, if you set 'psk-flags=0x1'
>> in the keyfile for a WPA-PSK connection, then NM will ask a user agent
>> (like nm-applet) for the password instead of keeping it in /etc. This
>> option is only exposed for 802.1x and LEAP passwords though (via the
>> "Always ask for this password" checkbox) because only those password
>> types are really personal passwords; a WPA-PSK or WEP key really isn't
>> personal.
>>
>> VPN connections also default to having secrets owned by the user's
>> session in a keyring.
>>
>> Dan
>>
>>
>
> Thank you Dan! It sounds like I am incorrect but I used to recall
> that if a connection was not a system connection that the key would be
> stored in the keyring and that was the default. Is that not the case
> any longer?
>
> Thank you!
>
Dan,
Sorry to add more questions but adding that to either the keyfile or
the ifcfg did not seem to help. Is there a specific syntax I should
be using or possibly a man page I can look at? I didn't see much
detail in man NetworkManager or man NetworkManager.conf
Thank you!
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]