On Tue, Jun 21, 2011 at 8:03 PM, Darren Albers <[email protected]> wrote: > On Tue, Jun 21, 2011 at 7:24 PM, Darren Albers <[email protected]> wrote: >> On Tue, Jun 21, 2011 at 12:27 PM, Jirka Klimes <[email protected]> wrote: >>> On Tuesday 21 of June 2011 14:04:58 Darren Albers wrote: >>>> On Tue, Jun 21, 2011 at 1:08 AM, Dan Williams <[email protected]> wrote: >>>> > On Mon, 2011-06-20 at 17:18 +0530, Ritesh Khadgaray wrote: >>>> >> Hi >>>> >> >>>> >> On Sat, Jun 18, 2011 at 7:57 AM, Darren Albers <[email protected]> >>>> >> wrote: >>>> >> > While doing some research I noticed that wireless keys are located >>>> >> > unencrypted in /etc/sysconfig/network-scripts It even does this when >>>> >> > I set the wireless to not be a system-connection. It used to be that >>>> >> > wireless keys were stored in the keyring which seems much safer to me >>>> >> > than storing them locally unencrypted. >>>> >> >>>> >> interesting, I am not an nm developer but this seems to stem from >>>> >> keyfile plugin and relies on file selinux label/permission for >>>> >> protection. >>>> >> >>>> >> I also do not see an option to not save the password. >>>> > >>>> > Correct, the passwords are not encrypted because there is no user >>>> > available to provide passwords. The passwords are, however, only >>>> > visible too 'root' and thus should be protected; if your root user is >>>> > compromised you're hosed. This is also how existing system have worked >>>> > for years, so NM certainly isn't a regression here. >>>> > >>>> > You can also opt to keep your secrets in the user keyring, which is >>>> > accomplished by "secret flags". For example, if you set 'psk-flags=0x1' >>>> > in the keyfile for a WPA-PSK connection, then NM will ask a user agent >>>> > (like nm-applet) for the password instead of keeping it in /etc. This >>>> > option is only exposed for 802.1x and LEAP passwords though (via the >>>> > "Always ask for this password" checkbox) because only those password >>>> > types are really personal passwords; a WPA-PSK or WEP key really isn't >>>> > personal. >>>> > >>>> > VPN connections also default to having secrets owned by the user's >>>> > session in a keyring. >>>> > >>>> > Dan >>>> >>>> Thank you Dan! It sounds like I am incorrect but I used to recall >>>> that if a connection was not a system connection that the key would be >>>> stored in the keyring and that was the default. Is that not the case >>>> any longer? >>>> >>> >>> With NM 0.9 we get rid of user connections, so we have just system >>> connections >>> (stored and managed by NM itself). And connection visibility only for some >>> users is obtained via permissions in every connection (see USERS= in ifcfg >>> files). >>> As far as secrets are concerned, there are now "Secret Propery Flags" flags >>> saying where the password is stored; see >>> http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets- >>> flags.html >>> By default, secrets are stored by NM (flag 0x00). But, as Dan said, for >>> certain >>> connection types (like VPN), the password is rather stored by the client >>> (in a >>> keyring) by default. >>> >>> Jirka >>> >> >> Jirka, >> >> Thank you for the detailed reply, so if I want to tell NM to store my >> password as Agent-Owned for my wpa-psk connection how would I do that? >> I tried playing with the various ifcfg settings for my wireless and >> nothing I did seemed to force it to use the option 0x1 to ask the >> agent. Should this setting be placed in the keyfile or in ifcfg? >> The link you sent indicates the dbus commands to send which don't seem >> to match up with the options in either the keyfile or ifcfg so I even >> tried psk_flags and psk-flags and similar variations. The >> documentation has this: >> psk-flags uint32 0 Flags indicating how to handle the WPA PSK key. >> (see the section called “Secret flag types” for flag values) >> >> I assume that is the correct attribute to set? >> >> Thank you! >> > > Ok I think I figured out the keyfile format via a bit of trial and > error. Sorry for the noise! >
So I was able to configure it to prompt for a wireless password each time but I haven't had much luck with telling it to store it in the keyring. Can someone look this over and let me know if I have done something wrong? Thanks! [connection] id=XXXXXXX uuid=365b23ac-1f43-4850-8074-e7407ecdbb6b type=802-11-wireless permissions=user:username:; [802-11-wireless] ssid=XXXXXXX security=802-11-wireless-security [802-11-wireless-security] key-mgmt=wpa-psk psk-flags=1 [ipv4] method=auto _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
