Re: vpn password stored in plain text

On Mon, 2015-09-28 at 17:57 +0200, Olaf Hering wrote:
Am 28.09.2015 um 17:00 schrieb Dan Williams:
On Mon, 2015-09-28 at 09:32 +0200, Olaf Hering wrote:
Why is the VPN password stored in plain text in
/etc/NetworkManager/system-connections? Is there a way to let the GUI
ask for it every time?

Note that the file is read-only by root.  If somebody has root on your
machine, they can do a lot more than read your password.

If the disk gets stolen the password is accessible. Thanks for your
other suggestions, will work through them.

Yes, that is correct.  Although best practices suggest full-disk
encryption on anything that can walk away, plus two-factor "something
you know and something you have" for VPNs.  But yes, setting the flags
in the file and removing the password should ensure that the password is
not stored on-disk.  You can also set the flags to '1' (agent-owned) and
the common agents like GNOME and KDE will store the password in their
respective keyrings/wallets that is protected by another password.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]