On Thu, 2007-03-15 at 09:52 -0400, Dan Williams wrote: > On Thu, 2007-03-15 at 08:46 -0400, Jon Nettleton wrote: > > On Thu, 2007-03-15 at 08:11 -0400, Dan Williams wrote: > > > On Wed, 2007-03-14 at 23:29 -0700, Cindy wrote: > > > > I'm sure this has been asked before. Are there any plans to make > > > > Network Manager's use of the keyring optional? I understand the > > > > security issues, and certainly NM should default to using the keyring. > > > > But an option to turn it off would, I'm sure, be appreciated by many. > > > > > > Nope! As you say, that's a security issue. Instead you'll be able to > > > "publish" a configuration to system settings so that it's available to > > > everyone on the system (or just you if it's single-user) and therefore > > > available for NetworkManager to use when the computer boots up, not just > > > when you log in. > > > > Random curiosity. Waht is the planned mechanism for storing the > > published WEP/WPA keys? I haven't found any documentation online, other > > than the preferences are getting published in the main gconf repo. > > Well, given the fact that the keys have to be available to the system > when there is no possibility of user-interaction for a > password/passphrase, any necessary authentication information (keys, > certificate passphrases, VPN passwords, etc) will be stored unencrypted > in files owned by and r/w only by root, at least in the stock > implementation. That's about as good as you can get, since if somebody > has root on your box you're pretty much screwed anyway. That's the > price you pay not sitting in front of the box when you want the network > to come up.
I find it somewhat amusing that with all the badmouthing of the ifup scripts storing the encryption keys unencrypted on the filesystem, we are right back to the same place. But like you said above, that is just how it has got to be. Will this mean that NetworkManager will be accepting patches to extend compatibility with existing network profile storage systems? I have had a "Configuration" daemon and patches I have been using for months now, that I didn't release because everyone seemed so down on the ideas. > > Technically the info-daemon for whatever desktop you're using will be > able to store the keys as it sees fit. I would hope that we could move to a point where a system smart card could be used to unlock an encrypted storage system. It isn't perfect, but you know that if you ditch a hard-drive or old computer your stuff your secrets will be a little more secure. Jon > > Dan > > _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
