On Tuesday 21 of June 2011 16:37:44 Darren Albers wrote: > On Tue, Jun 21, 2011 at 8:04 AM, Darren Albers <[email protected]> wrote: > > On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <[email protected]> wrote: > >> On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote: > >>> Hi > >>> > >>> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <[email protected]> wrote: > >>> > While doing some research I noticed that wireless keys are located > >>> > unencrypted in /etc/sysconfig/network-scripts It even does this when > >>> > I set the wireless to not be a system-connection. It used to be > >>> > that wireless keys were stored in the keyring which seems much safer > >>> > to me than storing them locally unencrypted. > >>> > >>> interesting, I am not an nm developer but this seems to stem from > >>> keyfile plugin and relies on file selinux label/permission for > >>> protection. > >>> > >>> I also do not see an option to not save the password. > >> > >> Correct, the passwords are not encrypted because there is no user > >> available to provide passwords. The passwords are, however, only > >> visible too 'root' and thus should be protected; if your root user is > >> compromised you're hosed. This is also how existing system have worked > >> for years, so NM certainly isn't a regression here. > >> > >> You can also opt to keep your secrets in the user keyring, which is > >> accomplished by "secret flags". For example, if you set 'psk-flags=0x1' > >> in the keyfile for a WPA-PSK connection, then NM will ask a user agent > >> (like nm-applet) for the password instead of keeping it in /etc. This > >> option is only exposed for 802.1x and LEAP passwords though (via the > >> "Always ask for this password" checkbox) because only those password > >> types are really personal passwords; a WPA-PSK or WEP key really isn't > >> personal. > >> > >> VPN connections also default to having secrets owned by the user's > >> session in a keyring. > >> > >> Dan > > > > Thank you Dan! It sounds like I am incorrect but I used to recall > > that if a connection was not a system connection that the key would be > > stored in the keyring and that was the default. Is that not the case > > any longer? > > > > Thank you! > > Dan, > > Sorry to add more questions but adding that to either the keyfile or > the ifcfg did not seem to help. Is there a specific syntax I should > be using or possibly a man page I can look at? I didn't see much > detail in man NetworkManager or man NetworkManager.conf >
The exact format depends on the plugin that stores the conection (ifcfg-rh, keyfile, ifupdown, ...) keyfile plugin stores the whole connection in a single file in /etc/NetworkManager/system-connections/, including passwords. The format matches the connection settings. See http://live.gnome.org/NetworkManager/SystemSettings and http://live.gnome.org/NetworkManagerConfiguration and http://projects.gnome.org/NetworkManager/developers/migrating-to-09/ref- settings.html ifcfg-rh plugin uses a few files: * ifcfg-<name> is the base file * keys-<name> is the file for passwords * route-<name> is the file for static routes ... ifcfg-rh plugin is basically compatible with initscrips format: /usr/share/doc/initscripts-<version>/sysconfig.txt For personal WPA the key use e.g. WPA_PSK="helloworld", for enterprise WPA it is e.g. IEEE_8021X_PASSWORD=blahblah for WEP it is KEY1 (KEY2 - KEY4), e.g. KEY1=s:hello or KEY1=0102030405 Jirka _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
