Bug 177308 - Would like to store group password, but not my Password.
Would like to store group password, but not my Password.
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Denis Leroy
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-09 09:26 EST by Daniel Walsh
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-08 09:39:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2006-01-09 09:26:01 EST
Description of problem:

Not crazy about storing my Kerberos password in the keyring, but hate having to
enter the group password every time.  So could you separate them so I could have
one or both stored in the keyring?

Dan
Comment 1 David Zeuthen 2006-01-09 10:16:12 EST
The gnome-keyring should be secure enough to store your password, otherwise we
need to fix gnome-keyring. Btw, your VPN provider need not to use your kerberos
password - suggest to complain to them (the fact that vpnc is rather insecure in
it's current incarnation is another matter that speaks for this case).

Reassigning to NetworkManager maintainer.
Comment 2 Ralf Ertzinger 2006-03-26 11:00:11 EST
This is not necessarily about trusting the gnome keyring or not. The group
password is not really a password in the classic sense, more something like a
preshared key between the ipsec server and the client. Most people using a vpn
client do not know it, since it is contained in the distributed .pcf files
(albeit obfuscated). So this may be more a case of "I do not want the tool to
remember my password" (for policy reasons or personal paranoia or whatever
reason). This is currently not possible, since it requires knowledge of the
group password.
As it happens I have some code to import the group password from .pcf files (and
deobfuscating it), but I am unsure how to add this to NM-vpnc, since I can not
just add the group password into the keyring at import time. If I read the code
right NM-vpnc expects to read the user password and the group password from the
keyring, or nothing at all.
Comment 3 Denis Leroy 2006-09-28 19:37:44 EDT
Taking ownership.
Comment 4 Denis Leroy 2006-10-19 17:17:59 EDT
I agree with the idea. In my case, the main password is a use-once password
provided by a cardkey, so storing it doesn't make much sense. The group
password, otoh, can be saved. I'll try to come up with a patch.
Comment 5 Denis Leroy 2006-10-21 09:22:53 EDT
Wrote a patch for this, will test and release soon. Patch reported upstream at

http://bugzilla.gnome.org/show_bug.cgi?id=363918
Comment 6 Jukka Palko 2006-11-06 02:03:43 EST
Looks like this is working with Fedora Core 6 NetworkManager-vpnc but it is
missing the dependency of lzo package. Noticed that storing the group password
tick box came into VPN login gui after I installed lzo package.

Nice work in making the vpn work this way though.
Comment 7 Denis Leroy 2006-11-06 06:17:44 EST
Jukka, I'm not seeing this dependency on my end. NetworkManager-vpnc works fine
without the lzo package, as far as i tell. This might have been some timing
issue here. The VPN login gui is actually a seperate executable
(/usr/libexec/nm-vpnc-auth-dialog)
Comment 8 Jukka Palko 2006-11-06 06:39:38 EST
It works great otherwise, but the ability to store the group password is not
available on fc6 unless you have lzo installed.
Comment 9 Denis Leroy 2006-11-06 15:04:00 EST
Jukka, can you investigate further ? I can't reproduce your scenario. I don't
have lzo installed, and the group password store works just fine for me (as a
matter of fact, I'm connected on my work vpn now)... (that's on fc6).
Comment 10 Denis Leroy 2006-11-08 09:39:19 EST
Released for FC-6 and 7.
Comment 11 Jukka Palko 2006-11-08 10:51:35 EST
Curious, now it's there even without lzo.

On a fresh install though I didn't have it there until I installed lzo.

Must have been something else. :)

Note You need to log in before you can comment on or make changes to this bug.