Re: Wireless Keys stored unencrypted?
- From: Jirka Klimes <jklimes redhat com>
- To: networkmanager-list gnome org
- Subject: Re: Wireless Keys stored unencrypted?
- Date: Tue, 21 Jun 2011 18:52:50 +0200
On Tuesday 21 of June 2011 16:37:44 Darren Albers wrote:
> On Tue, Jun 21, 2011 at 8:04 AM, Darren Albers <dalbers gmail com> wrote:
> > On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <dcbw redhat com> wrote:
> >> On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
> >>> Hi
> >>>
> >>> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com>
wrote:
> >>> > While doing some research I noticed that wireless keys are located
> >>> > unencrypted in /etc/sysconfig/network-scripts It even does this when
> >>> > I set the wireless to not be a system-connection. It used to be
> >>> > that wireless keys were stored in the keyring which seems much safer
> >>> > to me than storing them locally unencrypted.
> >>>
> >>> interesting, I am not an nm developer but this seems to stem from
> >>> keyfile plugin and relies on file selinux label/permission for
> >>> protection.
> >>>
> >>> I also do not see an option to not save the password.
> >>
> >> Correct, the passwords are not encrypted because there is no user
> >> available to provide passwords. The passwords are, however, only
> >> visible too 'root' and thus should be protected; if your root user is
> >> compromised you're hosed. This is also how existing system have worked
> >> for years, so NM certainly isn't a regression here.
> >>
> >> You can also opt to keep your secrets in the user keyring, which is
> >> accomplished by "secret flags". For example, if you set 'psk-flags=0x1'
> >> in the keyfile for a WPA-PSK connection, then NM will ask a user agent
> >> (like nm-applet) for the password instead of keeping it in /etc. This
> >> option is only exposed for 802.1x and LEAP passwords though (via the
> >> "Always ask for this password" checkbox) because only those password
> >> types are really personal passwords; a WPA-PSK or WEP key really isn't
> >> personal.
> >>
> >> VPN connections also default to having secrets owned by the user's
> >> session in a keyring.
> >>
> >> Dan
> >
> > Thank you Dan! It sounds like I am incorrect but I used to recall
> > that if a connection was not a system connection that the key would be
> > stored in the keyring and that was the default. Is that not the case
> > any longer?
> >
> > Thank you!
>
> Dan,
>
> Sorry to add more questions but adding that to either the keyfile or
> the ifcfg did not seem to help. Is there a specific syntax I should
> be using or possibly a man page I can look at? I didn't see much
> detail in man NetworkManager or man NetworkManager.conf
>
The exact format depends on the plugin that stores the conection (ifcfg-rh,
keyfile, ifupdown, ...)
keyfile plugin stores the whole connection in a single file in
/etc/NetworkManager/system-connections/, including passwords.
The format matches the connection settings. See
http://live.gnome.org/NetworkManager/SystemSettings and
http://live.gnome.org/NetworkManagerConfiguration and
http://projects.gnome.org/NetworkManager/developers/migrating-to-09/ref-
settings.html
ifcfg-rh plugin uses a few files:
* ifcfg-<name> is the base file
* keys-<name> is the file for passwords
* route-<name> is the file for static routes
...
ifcfg-rh plugin is basically compatible with initscrips format:
/usr/share/doc/initscripts-<version>/sysconfig.txt
For personal WPA the key use e.g. WPA_PSK="helloworld",
for enterprise WPA it is e.g. IEEE_8021X_PASSWORD=blahblah
for WEP it is KEY1 (KEY2 - KEY4), e.g. KEY1=s:hello or KEY1=0102030405
Jirka
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
