Hi Eric, Thank you for your reply. That was really informative!
Peter On Thu, Apr 25, 2013 at 3:52 PM, Eric H. Christensen < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote: > > Please tell me, what happens if I import a PCF file on the Network > Manager > > UI? > > I'm not sure we have any specific data on NetworkManager, here. It would > be best to contact the developer and discuss your concerns with them. That > said, I'll try to address some of your concerns below. > > > My PCF file refers to a Cisco VPN using group password. > > - Is the group password accessible during the import (of course it is > > otherwise it's useless...) > > Yes, it would need to be accessible to the software in order for the > circuit to be established. > > > - How it is decrpyted? > > The password (any password) isn't encrypted but rather obsfucated. I > don't know exactly what the protocol is but it would be whatever Cisco > designed. > > > - Which programs are involved? (Is any of them so called unsafe?) > > I believe NetworkManager has a plugin that it uses for VPN connectivity. > I'm not aware of it being "unsafe" but I guess that depends on your > definition of "unsafe". > > > - Where're the passwords stored? (Probably in KWallet) > > I'm not sure as they can be stored in several locations depending on how > your system is setup. I believe KWallet is default in KDE but that isn't > necessarily where the information will be stored. You could create a dummy > account in your VPN software and go in search of the credentials in KWallet > and see if they are there. > > > - Are the VPN passwords "clear-text" accessible somewhere? > > That would depend on how the password is stored (see above). > > > > > I need to prove that using this PCF file is secure on F18 too. The PCF > file > > is originating from Windows environment. The publishing company uses > > official Cisco client. > > Well, you can't prove a negative. Is it safer than using the "official" > Cisco client? Probably. It would appear that the official software > doesn't have a perfect track record when it comes to security: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+vpn+client. > > > > > I know that there are tons of sites and apps to decrypt the password, > but I > > need to prove that the basic Fedora installation is secure. > > Secure against what? Yes, Cisco didn't do a great job securing their > "group password" as, like you say, there are many websites out there that > can decrypt it for you. The Fedora software must do the same thing, just > as the Cisco software does, to build the VPN circuit. Again, you won't be > able to prove that an installation is secure but you can look to see if it > is secure against listed attacks or whatnot. > > Is the NetworkManager implementation of the Cisco VPN client as secure as > the Cisco VPN client? Probably. Is it more secure than the Cisco VPN > client? Probably. You can look at all the code used in Fedora's > implementation of the VPN client but you can't do that for Cisco's client > so you don't know what might be hiding in their code. > > Hope that helps. > > - --Eric > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > > iQGcBAEBCgAGBQJReTT9AAoJEB/kgVGp2CYv6bEMAJHZXFxk0L5n7f7tEiJttjoM > Rt9RKq1hzBQmvDZ5TTZXqlCgE75HKRkgILp2COtoKlgRDUpTUMcjDzLmwsdmc1GI > EOlxyH4ZbsgFYcCRSLHHLFIN/31e4zOOlL6Y6jpCnQnEgbXo0AXWmzblPclSVvLg > ZlBv3Y93uF3+NWVXgxLV/MOBc0UUSEHl90ujTmsRvH8zZFf5Y07hQ6bFT0ANu5m1 > ARzDDUEdFCGkbPL47oEFGGBYimLO1oez0EqSUC+8jP9svEfRU3Wh43XBSjBContB > CaBbfYOirrCZdzDhE8MYp+/sNpuwaeJXHXlStOI5nnGmxvn/9kOGxfS/Pu4E82ss > /NFRtaMmnXZEiNm5qTWugERZwVeniHpn3ZrcU0zMs8/RR55h0VOTK9t+CKOnYqGy > XK2t7JDIgwJ6kIweYGtGwCoz/UZWRGRfod+yBbjZn1cBeHfY3j5H8jEgdq+5lnD6 > EZO+gw1jWUh8a4Y2rmrnIKJjAz41uM/3dyG2Mb3AFQ== > =y9v9 > -----END PGP SIGNATURE----- > -- *Sólyom-Nagy Péter* [email protected]
-- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
