Re: Retries after secrets reject in 4-way handshake

From: Thomas Haller <thaller redhat com>
To: Alfonso Sanchez-Beato <alfonso sanchez-beato canonical com>, networkmanager-list gnome org
Subject: Re: Retries after secrets reject in 4-way handshake
Date: Tue, 08 Oct 2019 14:23:31 +0200

On Fri, 2019-09-13 at 09:47 +0200, Alfonso Sanchez-Beato via
networkmanager-list wrote:

Hi,

Hi,

We have found a problem by which a buggy access point rejects a valid
passphrase in the 4-Way Handshake phase. This happens just after the
AP has rebooted - a few seconds later the AP accepts the passphrase
again.

The problem is that NetworkManager drops the passphrase after the
failure to connect ( see 
https://github.com/NetworkManager/NetworkManager/blob/master/src/devices/wifi/nm-device-wifi.c#L1969
), and then it tries to call an agent to get another passphrase. In
this set-up, we do not have that agent, and then the connection stays
there and there are no more connection retries.

It does not look like NM has currently a way to force retries in this
case, although I would be happy to be proven wrong.


What you describe is a problem, with nasty effects.

- the user gets repeatedly prompt for a password, although the password
is right.

- if no agent is available, the connection gets blocked from
autoconnect. That's especially problematic, if the user is not
available to manually re-trigger an authentication.

So, I have thought of some possible ways to solve this and would
appreciate your feedback on what would be the best approach and what
would be acceptable to be merged:

1. Do some retries before calling the agent


Does that solve the problem? Also, I don't think this should be done by
default, because the user might get blocked. Also, doing this
unconditionally, adds quite a delay in the common case where the
password is indeed wrong.

2. Do not drop the secret if there is no agent registered


Not "dropping" the secret does not seem to be a solution. It's merely
part of a possible solution.

3. Have a new property for the connection that forbids dropping
secrets


While it's ugly to do this, I think it's the only solution. We could
add a connection property to the connection profile that says "assume-
the-secret-is-correct-for-n-times". The current behavior is like "1".
"0" means forever (with some ratelimiting).


best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]