Hi Tobias,
On 8/16/19 3:43 PM, Tobias Brunner wrote:
Hi Harald,
hopefully its OK to drop some complaints about the PSK
authentication option in the network manager applet (1.4.5)
here?
Sure, but note that we don't recommend using PSKs for remote access.
Using a server certificate together with EAP is a much safer (and not
much more complex) alternative. That option only exists in the NM
plugin because of a customer.
I am not using PSKs for road warriors, either, but I am pretty sure
that there is a "grey area" here.
Certificate is (None), but this option is not greyed out for
PSK, as one would expect. Do I still have to select a certificate?
You might, if the server is authenticated with a certificate (IKEv2
allows asymmetric authentication). But be aware that the password hash
is sent before the server certificate is received/verified (compared to
EAP, where the server is validated first, which is, thus, not vulnerable
to active attackers).
I would guess the "Name" entry is actually the local identifier,
is it?
Correct.
Do you think it would be possible to dynamically change the input
form, depending upon whether its x509, PSK, smartcard or eap? The
current static design is the confusing part.
The "Password" entry has to be manually set to one of the "Store
the password" options, which are *extremely* hard to find. Without
this you simply cannot enter the pre-shared key. This is highly
frustrating.
It's a standard UI element for password fields provided by libnma. It
works exactly the same for EAP passwords (it's the same field after
all), which is why the default is probably to prompt the user for it
when the connection is initiated. The icon/button to change it is right
there in the text field, so I don't see how it is *extremely* hard to find.
Maybe its just me (I am no GUI user), but its quite confusing to
first select "PSK" on top, and then you cannot enter the PSK (even
though its not greyed out). Without recognizing the tiny question mark
icon in the password box the GUI appears to be broken.
Apparently there seems to be a requirement to enter at least
20 chars for the pre-shared key, or you cannot save. Frustrating
again. Maybe I am too blind to see, but I haven't seen this
documented anywhere. Maybe the PSK bubble could say? How is the
peer admin supposed to know on defining the PSK?
The tooltip for the password field does mention that limit. As I said,
we don't think PSK authentication is a good choice for remote access at
all. At least with the limit strong passwords will be used. While the
20 character limit is arbitrary, I don't think we are going to lower it.
I am not asking you to lower it. But the admin managing the PSKs
on his high-end VPN gateway on the peer doesn't know about this
restriction in strongswan. How would you like to address this?
Surely I understand that PSKs should be avoided in favor of server
certificate and EAP, but its hard for me to close a valid Debian bug
report about n-m-s, telling the user to drop PSKs and to try EAP
instead. Maybe it would help to officially set the PSK feature in
n-m-s to "deprecated"?
Regards
Harri
