Re: Wireless Keys stored unencrypted?

On Tuesday 21 of June 2011 16:37:44 Darren Albers wrote:
> On Tue, Jun 21, 2011 at 8:04 AM, Darren Albers <dalbers gmail com> wrote:
> > On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <dcbw redhat com> wrote:
> >> On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote:
> >>> Hi
> >>> 
> >>> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <dalbers gmail com> 
> >>> > While doing some research I noticed that wireless keys are located
> >>> > unencrypted in /etc/sysconfig/network-scripts  It even does this when
> >>> > I set the wireless to not be a system-connection.   It used to be
> >>> > that wireless keys were stored in the keyring which seems much safer
> >>> > to me than storing them locally unencrypted.
> >>> 
> >>> interesting, I am not an nm developer but this seems to stem from
> >>> keyfile plugin and relies on file selinux label/permission for
> >>> protection.
> >>> 
> >>> I also do not  see an option to not save the password.
> >> 
> >> Correct, the passwords are not encrypted because there is no user
> >> available to provide passwords.  The passwords are, however, only
> >> visible too 'root' and thus should be protected; if your root user is
> >> compromised you're hosed.  This is also how existing system have worked
> >> for years, so NM certainly isn't a regression here.
> >> 
> >> You can also opt to keep your secrets in the user keyring, which is
> >> accomplished by "secret flags".  For example, if you set 'psk-flags=0x1'
> >> in the keyfile for a WPA-PSK connection, then NM will ask a user agent
> >> (like nm-applet) for the password instead of keeping it in /etc.  This
> >> option is only exposed for 802.1x and LEAP passwords though (via the
> >> "Always ask for this password" checkbox) because only those password
> >> types are really personal passwords; a WPA-PSK or WEP key really isn't
> >> personal.
> >> 
> >> VPN connections also default to having secrets owned by the user's
> >> session in a keyring.
> >> 
> >> Dan
> > 
> > Thank you Dan!   It sounds like I am incorrect but I used to recall
> > that if a connection was not a system connection that the key would be
> > stored in the keyring and that was the default.  Is that not the case
> > any longer?
> > 
> > Thank you!
> Dan,
> Sorry to add more questions but adding that to either the keyfile or
> the ifcfg did not seem to help.   Is there a specific syntax I should
> be using or possibly a man page I can look at?   I didn't see much
> detail in man NetworkManager or man NetworkManager.conf

The exact format depends on the plugin that stores the conection (ifcfg-rh, 
keyfile, ifupdown, ...)

keyfile plugin stores the whole connection in a single file in 
/etc/NetworkManager/system-connections/, including passwords.
The format matches the connection settings. See and and

ifcfg-rh plugin uses a few files:
* ifcfg-<name> is the base file
* keys-<name> is the file for passwords
* route-<name> is the file for static routes
ifcfg-rh plugin is basically compatible with initscrips format: 

For personal WPA the key use e.g. WPA_PSK="helloworld",
for enterprise WPA it is e.g. IEEE_8021X_PASSWORD=blahblah
for WEP it is KEY1 (KEY2 - KEY4), e.g. KEY1=s:hello or KEY1=0102030405


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]