Bug 177308 - Would like to store group password, but not my Password.
Summary: Would like to store group password, but not my Password.
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-vpnc
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Denis Leroy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-09 14:26 UTC by Daniel Walsh
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-11-08 14:39:19 UTC


Attachments (Terms of Use)

Description Daniel Walsh 2006-01-09 14:26:01 UTC
Description of problem:

Not crazy about storing my Kerberos password in the keyring, but hate having to
enter the group password every time.  So could you separate them so I could have
one or both stored in the keyring?

Dan

Comment 1 David Zeuthen 2006-01-09 15:16:12 UTC
The gnome-keyring should be secure enough to store your password, otherwise we
need to fix gnome-keyring. Btw, your VPN provider need not to use your kerberos
password - suggest to complain to them (the fact that vpnc is rather insecure in
it's current incarnation is another matter that speaks for this case).

Reassigning to NetworkManager maintainer.

Comment 2 Ralf Ertzinger 2006-03-26 16:00:11 UTC
This is not necessarily about trusting the gnome keyring or not. The group
password is not really a password in the classic sense, more something like a
preshared key between the ipsec server and the client. Most people using a vpn
client do not know it, since it is contained in the distributed .pcf files
(albeit obfuscated). So this may be more a case of "I do not want the tool to
remember my password" (for policy reasons or personal paranoia or whatever
reason). This is currently not possible, since it requires knowledge of the
group password.
As it happens I have some code to import the group password from .pcf files (and
deobfuscating it), but I am unsure how to add this to NM-vpnc, since I can not
just add the group password into the keyring at import time. If I read the code
right NM-vpnc expects to read the user password and the group password from the
keyring, or nothing at all.

Comment 3 Denis Leroy 2006-09-28 23:37:44 UTC
Taking ownership.


Comment 4 Denis Leroy 2006-10-19 21:17:59 UTC
I agree with the idea. In my case, the main password is a use-once password
provided by a cardkey, so storing it doesn't make much sense. The group
password, otoh, can be saved. I'll try to come up with a patch.


Comment 5 Denis Leroy 2006-10-21 13:22:53 UTC
Wrote a patch for this, will test and release soon. Patch reported upstream at

http://bugzilla.gnome.org/show_bug.cgi?id=363918


Comment 6 Jukka Palko 2006-11-06 07:03:43 UTC
Looks like this is working with Fedora Core 6 NetworkManager-vpnc but it is
missing the dependency of lzo package. Noticed that storing the group password
tick box came into VPN login gui after I installed lzo package.

Nice work in making the vpn work this way though.

Comment 7 Denis Leroy 2006-11-06 11:17:44 UTC
Jukka, I'm not seeing this dependency on my end. NetworkManager-vpnc works fine
without the lzo package, as far as i tell. This might have been some timing
issue here. The VPN login gui is actually a seperate executable
(/usr/libexec/nm-vpnc-auth-dialog)

Comment 8 Jukka Palko 2006-11-06 11:39:38 UTC
It works great otherwise, but the ability to store the group password is not
available on fc6 unless you have lzo installed.

Comment 9 Denis Leroy 2006-11-06 20:04:00 UTC
Jukka, can you investigate further ? I can't reproduce your scenario. I don't
have lzo installed, and the group password store works just fine for me (as a
matter of fact, I'm connected on my work vpn now)... (that's on fc6).


Comment 10 Denis Leroy 2006-11-08 14:39:19 UTC
Released for FC-6 and 7.


Comment 11 Jukka Palko 2006-11-08 15:51:35 UTC
Curious, now it's there even without lzo.

On a fresh install though I didn't have it there until I installed lzo.

Must have been something else. :)


Note You need to log in before you can comment on or make changes to this bug.