Red Hat Bugzilla – Bug 332821
remembers passphrase even when you tell it not to
Last modified: 2014-03-16 23:09:00 EDT
Description of problem:
NM remembers VPNC passpharases (in memory) no matter whether or not the box is
checked in the dialog.
Furthermore, it remembers them (and keeps using them without interaction) even
if they're wrong and the login fails.
Version-Release number of selected component (if applicable):
I need to rewrite the patch to store the actual password storing preference in
GConf. Right now, it will set the preference based on whether it finds the keys
in the gnome keyring. The workaround is to open the gnome keyring editor and
delete the keys manually.
In this case, the keys weren't in the keyring.
I just spent some time on this, and it's more complicated that I had hoped.
The keys are indeed kept in memory, by the call to
nm_connection_update_secrets(). So when the vpnc plugin need_secrets()
implementation (in nm-vpnc-service) is called a 2nd time, it finds the secret in
the VPNProperties hash table and answers "no secrets needed!". In a way, this is
redundant with the authorization dialog own password storing mechanism (in the
gnome keyring), except of course this will always fail if the passwords are
wrong or if you use one-time passwords.
If I patch nm-vpnc-service to always return false in need_secrets(), any
subsequent reconnects will indeed show the authorization dialog as it should.
Unfortunately the connection still fails a couple of seconds later with
NetworkManager: <WARN> connection_state_changed(): Could not process the
request because no VPN connection was active.
and the quit signal is sent to nm-vpnc-service even before you have a chance to
type anything into the authorization dialog.
This sounds to me more like a NM state machine issue, so maybe this should be
refiled under NM.
Dan, any comments ?
*** Bug 397691 has been marked as a duplicate of this bug. ***
Dan, ping ?
Something in NM that doesn't happen (but should) is that NM should clear the
connection secrets on the internal connection after it has successfully
connected, which would make NM always ask the applet for the secrets when
needed. Pretty trivial to fix upstream, just hadn't gotten there yet.
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.
If this bug still exists in rawhide, please change the version back to
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)
Thanks for your help and we apologize for the interruption.
The process we're following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Dunno why this is in RELEASE_PENDING. It's still in both F8 and rawhide.
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '8'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 8's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 8 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Bill, please modify the connection in the connection editor to "always ask" for the passwords you don't want to save in the keyring.
I tried it, and it works, but the default settings should be "always ask" IMHO.
Remembering passwords by default is very bad practice.
Hm, at this point, I'm OK with remembering for the session, just not remembering them if they're wrong. I'll test with the new update NM later today.
Is this still an issue with latest NM and vpnc? The vpnc bits were changed before Christmas to let the user specify always asking for the password, irregardless of the keyring.
In the connection editor for the VPN connection, look for the popup menus next to each password and pick the one you want.
Yes, thsi works now.