On Wed, 2009-12-16 at 14:33 -0500, Matt Wilks wrote: > > On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote: > >> On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote: > >> What prompted my initial query was the lack of support for<ca>,<cert> > >> and<key> directives (supported in OpenVPN since 2.1-beta7, Nov > >> 2005). They allow you to specify the key files directly in the > >> configuration file, making it a self-contained configuration for a > >> connection using keys to authenticate. NetworkManager also seemed to > >> miss the fact that my config required both keys and a password; not > >> hard to manually set but it wasn't caught by the import. > > > > I do believe those have been in the NM openvpn configuration for a > > long time. What specific version of NM-openvpn are you using? I'm > > certainly using a CA certificate right now to write this mail. If you > > pick "Certificates (TLS)" or "Passwords with Certificates" from the > > dropdown you should be able to use the certificates and keys of your > > choice. This has been the case for at least a year and a half, since > > before NM 0.7.x was released. > > Keys are supported, but you have to specify them in the NetworkManager > config through a file browser dialog. The <ca>, etc directives I'm > talking about go in the config file and you include the actual text of > the key, something like: > > <ca> > -----BEGIN CERTIFICATE----- > asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj > dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk > fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj > -----END CERTIFICATE----- > </ca> > > and so on with <cert> and <key>. I have NM (and NM-openvpn) version 0.8 > on Ubuntu Karmic and it didn't work for me.
Aha, yes that is not yet supported; it wouldn't be too hard to grab the data out of there and stuff it into its own file in ~/.pki or such; you don't really want to be storing certificate data in GConf or elsewhere. In the end, we need a certificate store like Windows or Mac OS X has, but for now we'll need to use files I guess. One caveat is to ensure that the user's private key is written out in encrypted form if it's not already encrypted in the config. Dan > > The whitelisting is for security. As a user, if you download a > > configuration file and want to use it, what's to say it doesn't include > > some options that make things less-secure or are malicious? Depending > > on the plugin you could send a config option for "run this script after > > connection" and since the VPN plugins currently run as root, that script > > gets run as root. The configuration data cannot /necessarily/ be > > trusted especially if it comes from the user session. At the same time, > > you don't want to /necessarily/ lock users out completely (that's the > > discretion of the sysadmin if there is one). > > Ah, this security concern settles it for me. The reason that other > clients can offer the config file management paradigm is that you must > have admin privileges to run the program in the first place. Not so > with NM. > > Thanks again for your time. Much appreciated. > _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
