On Wed, 2008-05-14 at 12:19 -0500, Brian Millett wrote: > Dan Williams escribío: > > On Wed, 2008-05-14 at 11:46 -0400, Matthew Saltzman wrote: > >> On Tue, 2008-05-13 at 18:23 -0500, Brian Millett wrote: > >>> Dan Williams escribío: > >>>> On Tue, 2008-05-13 at 15:58 -0500, Brian Millett wrote: > >>>>> Fedora 8, > >>>>> NetworkManager-devel-0.7.0-0.6.7.svn3370.fc8 > >>>>> NetworkManager-vpnc-0.7.0-0.6.3.svn3109.fc8 > >>>>> NetworkManager-glib-0.7.0-0.6.7.svn3370.fc8 > >>>>> NetworkManager-gnome-0.7.0-0.6.7.svn3370.fc8 > >>>>> NetworkManager-openvpn-0.7.0-8.svn3302.fc8 > >>>>> NetworkManager-glib-devel-0.7.0-0.6.7.svn3370.fc8 > >>>>> NetworkManager-0.7.0-0.6.7.svn3370.fc8 > >>>>> > >>>>> I have a vpnc configuration I need to setup. It has a "IPSec > >>>>> obfuscated secret" for the > >>>>> group password. > >>>>> > >>>>> The old vpn connection were defined in the > >>>>> .gconf/system/networking/vpn_connections but > >>>>> where are the connections defined now? > >>>> They are normal connections in /system/networking/connections just like > >>>> wifi, ethernet, cdma, gsm, etc are. > >>> Cool! Still via configuration editor. > >>> > >>> Any way of knowing what number corresponds to which connection? > >>> > >>>>> How do I edit the configurations? > >>>> You can still use the VPN connection editor, available from the applet > >>>> menu. > >>> Ok, so how do I enable the ability to edit the connection? I can see the > >>> connections in > >>> the "Edit connections", but the only item available to click is "Delete". > >>> > >>>>> Are the conf files in /etc/vpnc referenced? > >>>> No, because VPN connections are currently per-user, though with the > >>>> keyfile system settings plugin there's no reason they couldn't be > >>>> system-wide as well. > >>>> > >> A couple related questions: > >> > >> (1) If I want to add > >> > >> DPD idle timeout (our side) 0 > >> > >> what do I need to name the key in gconf? The gconf editor complains > >> about the parentheses. > > > > The name of the item in GConf is the exact string passed to vpnc as a > > configuration option. You'll need to GConf-escape the parentheses. > > GConf uses the @ symbol as the escape, so you want to convert the > > characters to be escaped to decimal, then put that number between two @ > > symbols, like so: > > > > My Option -->>> [EMAIL PROTECTED]@Option > > > >> (2) Can the obfuscated secret be stored in the keyring? If so, how? If > >> not, how can I get it to be used instead of the group password in the > >> keyring? > > > > At least vpnc can decrypt the obfuscated group secret these days. But > > since it's not really the password, we should store it differently in > > the keyring than the password we store the group password. > > > > We do have a number of different issues here with the group password: > > > > 1) You're given the cleartext group password > > 2) You're given a pcf file with obfuscated group password > > 3) You're using OTP for the group password with tokens or whatever > > > > The first two need to get saved in the keyring. The third doesn't get > > saved in the keyring and gets asked for every time. I don't see a big > > problem with adding support to the vpnc connector to accept the > > obfuscated secret, but the big issue is going to be that it's going to > > add yet another edit box somewhere. That's not really helpful, I don't > > think. Do you have any idea if the obfuscated secrets are all the same > > length so perhaps we could auto-detect based on string length? Any good > > hash algorithm is going to generate stable-length results. > > Ok, so I was given a pcf file with the obfuscated group secret in it. I need > to add it to > the gnome keyring or the gpg keyring? Or do I just put in the long > obfuscated secret in > the group password field and check that it be saved in the keyring? > > I also added to the %gconf.xml for the vpn-properties of that connection: > > <entry name="[EMAIL PROTECTED]@[EMAIL PROTECTED]@secret" mtime="1210720857" > type="string"> > <stringvalue>9B5EA67-(cut)-F48CEF</stringvalue> > </entry>
Well, currently the obfuscated password isn't supported because that config option is not allowed through to the VPN daemon. You could for the time being decrypt the obfuscated secret. http://svn.unix-ag.uni-kl.de/vpnc/trunk/cisco-decrypt.c for example should be included in the vpnc sources and built with vpnc, and will decrypt it for you. Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
