On Tue, Jun 21, 2011 at 7:24 PM, Darren Albers <[email protected]> wrote: > On Tue, Jun 21, 2011 at 12:27 PM, Jirka Klimes <[email protected]> wrote: >> On Tuesday 21 of June 2011 14:04:58 Darren Albers wrote: >>> On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <[email protected]> wrote: >>> > On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote: >>> >> Hi >>> >> >>> >> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <[email protected]> wrote: >>> >> > While doing some research I noticed that wireless keys are located >>> >> > unencrypted in /etc/sysconfig/network-scripts It even does this when >>> >> > I set the wireless to not be a system-connection. It used to be that >>> >> > wireless keys were stored in the keyring which seems much safer to me >>> >> > than storing them locally unencrypted. >>> >> >>> >> interesting, I am not an nm developer but this seems to stem from >>> >> keyfile plugin and relies on file selinux label/permission for >>> >> protection. >>> >> >>> >> I also do not see an option to not save the password. >>> > >>> > Correct, the passwords are not encrypted because there is no user >>> > available to provide passwords. The passwords are, however, only >>> > visible too 'root' and thus should be protected; if your root user is >>> > compromised you're hosed. This is also how existing system have worked >>> > for years, so NM certainly isn't a regression here. >>> > >>> > You can also opt to keep your secrets in the user keyring, which is >>> > accomplished by "secret flags". For example, if you set 'psk-flags=0x1' >>> > in the keyfile for a WPA-PSK connection, then NM will ask a user agent >>> > (like nm-applet) for the password instead of keeping it in /etc. This >>> > option is only exposed for 802.1x and LEAP passwords though (via the >>> > "Always ask for this password" checkbox) because only those password >>> > types are really personal passwords; a WPA-PSK or WEP key really isn't >>> > personal. >>> > >>> > VPN connections also default to having secrets owned by the user's >>> > session in a keyring. >>> > >>> > Dan >>> >>> Thank you Dan! It sounds like I am incorrect but I used to recall >>> that if a connection was not a system connection that the key would be >>> stored in the keyring and that was the default. Is that not the case >>> any longer? >>> >> >> With NM 0.9 we get rid of user connections, so we have just system >> connections >> (stored and managed by NM itself). And connection visibility only for some >> users is obtained via permissions in every connection (see USERS= in ifcfg >> files). >> As far as secrets are concerned, there are now "Secret Propery Flags" flags >> saying where the password is stored; see >> http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets- >> flags.html >> By default, secrets are stored by NM (flag 0x00). But, as Dan said, for >> certain >> connection types (like VPN), the password is rather stored by the client (in >> a >> keyring) by default. >> >> Jirka >> > > Jirka, > > Thank you for the detailed reply, so if I want to tell NM to store my > password as Agent-Owned for my wpa-psk connection how would I do that? > I tried playing with the various ifcfg settings for my wireless and > nothing I did seemed to force it to use the option 0x1 to ask the > agent. Should this setting be placed in the keyfile or in ifcfg? > The link you sent indicates the dbus commands to send which don't seem > to match up with the options in either the keyfile or ifcfg so I even > tried psk_flags and psk-flags and similar variations. The > documentation has this: > psk-flags uint32 0 Flags indicating how to handle the WPA PSK key. > (see the section called “Secret flag types” for flag values) > > I assume that is the correct attribute to set? > > Thank you! >
Ok I think I figured out the keyfile format via a bit of trial and error. Sorry for the noise! _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
