Bug 332821 - remembers passphrase even when you tell it not to
Summary: remembers passphrase even when you tell it not to
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: 10
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
Whiteboard: bzcl34nup
: 397691 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2007-10-15 16:50 UTC by Bill Nottingham
Modified: 2014-03-17 03:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-02-05 15:41:11 UTC
Type: ---

Attachments (Terms of Use)

Description Bill Nottingham 2007-10-15 16:50:53 UTC
Description of problem:

NM remembers VPNC passpharases (in memory) no matter whether or not the box is
checked in the dialog.

Furthermore, it remembers them (and keeps using them without interaction) even
if they're wrong and the login fails.

Version-Release number of selected component (if applicable):


Comment 1 Denis Leroy 2007-10-15 18:46:11 UTC
Related to


I need to rewrite the patch to store the actual password storing preference in
GConf. Right now, it will set the preference based on whether it finds the keys
in the gnome keyring. The workaround is to open the gnome keyring editor and
delete the keys manually.

Comment 2 Bill Nottingham 2007-10-16 17:04:44 UTC
In this case, the keys weren't in the keyring.

Comment 3 Denis Leroy 2007-11-21 20:43:36 UTC
I just spent some time on this, and it's more complicated that I had hoped.

The keys are indeed kept in memory, by the call to
nm_connection_update_secrets(). So when the vpnc plugin need_secrets()
implementation (in nm-vpnc-service) is called a 2nd time, it finds the secret in
the VPNProperties hash table and answers "no secrets needed!". In a way, this is
redundant with the authorization dialog own password storing mechanism (in the
gnome keyring), except of course this will always fail if the passwords are
wrong or if you use one-time passwords.

If I patch nm-vpnc-service to always return false in need_secrets(), any
subsequent reconnects will indeed show the authorization dialog as it should.
Unfortunately the connection still fails a couple of seconds later with

NetworkManager: <WARN>  connection_state_changed(): Could not process the
request because no VPN connection was active.

and the quit signal is sent to nm-vpnc-service even before you have a chance to
type anything into the authorization dialog.

This sounds to me more like a NM state machine issue, so maybe this should be
refiled under NM.
Dan, any comments ?

Comment 4 Denis Leroy 2007-11-24 14:14:50 UTC
*** Bug 397691 has been marked as a duplicate of this bug. ***

Comment 5 Denis Leroy 2007-12-03 11:11:18 UTC
Dan, ping ?

Comment 6 Dan Williams 2007-12-03 18:08:48 UTC
Something in NM that doesn't happen (but should) is that NM should clear the
connection secrets on the internal connection after it has successfully
connected, which would make NM always ask the applet for the secrets when
needed.  Pretty trivial to fix upstream, just hadn't gotten there yet.

Comment 7 Bug Zapper 2008-04-04 14:07:15 UTC
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 8 Bill Nottingham 2008-04-09 01:38:34 UTC
Dunno why this is in RELEASE_PENDING. It's still in both F8 and rawhide.

Comment 9 Bug Zapper 2008-11-26 07:59:11 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 10 Dan Williams 2008-11-28 17:38:19 UTC
Bill, please modify the connection in the connection editor to "always ask" for the passwords you don't want to save in the keyring.

Comment 11 Simo Sorce 2008-11-28 17:58:07 UTC
I tried it, and it works, but the default settings should be "always ask" IMHO.
Remembering passwords by default is very bad practice.

Comment 12 Bill Nottingham 2008-12-01 15:45:08 UTC
Hm, at this point, I'm OK with remembering for the session, just not remembering them if they're wrong. I'll test with the new update NM later today.

Comment 13 Dan Williams 2009-02-05 00:05:29 UTC
Is this still an issue with latest NM and vpnc?  The vpnc bits were changed before Christmas to let the user specify always asking for the password, irregardless of the keyring.


In the connection editor for the VPN connection, look for the popup menus next to each password and pick the one you want.

Comment 14 Bill Nottingham 2009-02-05 15:41:11 UTC
Yes, thsi works now.

Note You need to log in before you can comment on or make changes to this bug.