Re: vpn password stored in plain text
Am 28.09.2015 um 18:09 schrieb Dan Williams: > Yes, that is correct. Although best practices suggest full-disk > encryption on anything that can walk away, plus two-factor "something > you know and something you have" for VPNs. But yes, setting the flags > in the file and removing the password should ensure that the password is > not stored on-disk. You can also set the flags to '1' (agent-owned) and > the common agents like GNOME and KDE will store the password in their > respective keyrings/wallets that is protected by another password. I poked around in nm-connection-editor and realized that the icon on the right side of the password fields is actually a mode selector. Now the setting is "ask always", which wipes the password string from /etc. Thanks again! Olaf ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: vpn password stored in plain text
On Mon, 2015-09-28 at 09:32 +0200, Olaf Hering wrote: > Why is the VPN password stored in plain text in > /etc/NetworkManager/system-connections? Is there a way to let the GUI > ask for it every time? Note that the file is read-only by root. If somebody has root on your machine, they can do a lot more than read your password. It's stored there because no "password flags" have been set for the password that tell NM where to get it from. If you set the "agent-owned" flag and the "always ask" flags on the password, either through the GUI or by editing the file in /etc, then NM will ask an agent for the password every time. Most desktop environments have an agent (eg, GNOME and KDE have their own) and there's also nm-applet. For vpnc for example, the user password is "xauthpassword" and the corresponding item to ask for it every time would be "xauthpassword-flags=3". For OpenVPN the user password is "password" and the corresponding item to ask for it every time is "password-flags=3". See also 'man nm-settings' and look for the "Secret flag types" section near the bottom. Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: vpn password stored in plain text
On Mon, 2015-09-28 at 17:57 +0200, Olaf Hering wrote: > Am 28.09.2015 um 17:00 schrieb Dan Williams: > > On Mon, 2015-09-28 at 09:32 +0200, Olaf Hering wrote: > >> Why is the VPN password stored in plain text in > >> /etc/NetworkManager/system-connections? Is there a way to let the GUI > >> ask for it every time? > > > > Note that the file is read-only by root. If somebody has root on your > > machine, they can do a lot more than read your password. > > If the disk gets stolen the password is accessible. Thanks for your > other suggestions, will work through them. Yes, that is correct. Although best practices suggest full-disk encryption on anything that can walk away, plus two-factor "something you know and something you have" for VPNs. But yes, setting the flags in the file and removing the password should ensure that the password is not stored on-disk. You can also set the flags to '1' (agent-owned) and the common agents like GNOME and KDE will store the password in their respective keyrings/wallets that is protected by another password. Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: vpn password stored in plain text
Am 28.09.2015 um 17:00 schrieb Dan Williams: > On Mon, 2015-09-28 at 09:32 +0200, Olaf Hering wrote: >> Why is the VPN password stored in plain text in >> /etc/NetworkManager/system-connections? Is there a way to let the GUI >> ask for it every time? > > Note that the file is read-only by root. If somebody has root on your > machine, they can do a lot more than read your password. If the disk gets stolen the password is accessible. Thanks for your other suggestions, will work through them. Olaf ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
vpn password stored in plain text
Why is the VPN password stored in plain text in /etc/NetworkManager/system-connections? Is there a way to let the GUI ask for it every time? Olaf ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
