Red Hat Bugzilla – Bug 177308
Would like to store group password, but not my Password.
Last modified: 2007-11-30 17:11:20 EST
Description of problem:
Not crazy about storing my Kerberos password in the keyring, but hate having to
enter the group password every time. So could you separate them so I could have
one or both stored in the keyring?
The gnome-keyring should be secure enough to store your password, otherwise we
need to fix gnome-keyring. Btw, your VPN provider need not to use your kerberos
password - suggest to complain to them (the fact that vpnc is rather insecure in
it's current incarnation is another matter that speaks for this case).
Reassigning to NetworkManager maintainer.
This is not necessarily about trusting the gnome keyring or not. The group
password is not really a password in the classic sense, more something like a
preshared key between the ipsec server and the client. Most people using a vpn
client do not know it, since it is contained in the distributed .pcf files
(albeit obfuscated). So this may be more a case of "I do not want the tool to
remember my password" (for policy reasons or personal paranoia or whatever
reason). This is currently not possible, since it requires knowledge of the
As it happens I have some code to import the group password from .pcf files (and
deobfuscating it), but I am unsure how to add this to NM-vpnc, since I can not
just add the group password into the keyring at import time. If I read the code
right NM-vpnc expects to read the user password and the group password from the
keyring, or nothing at all.
I agree with the idea. In my case, the main password is a use-once password
provided by a cardkey, so storing it doesn't make much sense. The group
password, otoh, can be saved. I'll try to come up with a patch.
Wrote a patch for this, will test and release soon. Patch reported upstream at
Looks like this is working with Fedora Core 6 NetworkManager-vpnc but it is
missing the dependency of lzo package. Noticed that storing the group password
tick box came into VPN login gui after I installed lzo package.
Nice work in making the vpn work this way though.
Jukka, I'm not seeing this dependency on my end. NetworkManager-vpnc works fine
without the lzo package, as far as i tell. This might have been some timing
issue here. The VPN login gui is actually a seperate executable
It works great otherwise, but the ability to store the group password is not
available on fc6 unless you have lzo installed.
Jukka, can you investigate further ? I can't reproduce your scenario. I don't
have lzo installed, and the group password store works just fine for me (as a
matter of fact, I'm connected on my work vpn now)... (that's on fc6).
Released for FC-6 and 7.
Curious, now it's there even without lzo.
On a fresh install though I didn't have it there until I installed lzo.
Must have been something else. :)