After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 322820 - vpnc backend should have group password in the properties
vpnc backend should have group password in the properties
Status: RESOLVED WONTFIX
Product: NetworkManager
Classification: Platform
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Dan Williams
Dan Williams
: 447222 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2005-11-30 09:55 UTC by Bastien Nocera
Modified: 2008-04-25 12:51 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Bastien Nocera 2005-11-30 09:55:44 UTC 
The group password is available in the .pcf file for the Cisco vpn connections
in a mildly encypted form.
As that password can be decrypted using a simple libgcrypt-based program, it
does not offer any particular security:
http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c

As such, it shouldn't be in the keyring, but available in the VPN properties.
Comment 1 Dan Williams 2005-11-30 13:06:20 UTC 
Well, it is in mildly encrypted form in _some_ cisco pcf files.  They've plugged
that hole and current clients use a much stronger algorithm IIRC.  So this would
only fix it for certain classes of PCF files.  Furthermore, there may be legal
implications with attempting to decrypt this password, at least in the US...
Comment 2 Dan Williams 2006-02-27 07:03:32 UTC 
Marking WONTFIX because group password will likely stay in keyring...
Comment 3 Bastien Nocera 2006-08-24 23:06:15 UTC 
Reopening. Would it be possible to call a binary with a specific name if it was available in the path to decrypt this automatically? (ie. not in NetworkManager)
Comment 4 Dan Williams 2006-08-25 01:30:33 UTC 
Possibly, is there anything contributory about it?
Comment 5 Christopher Aillon 2007-06-13 17:11:56 UTC 
*** Bug 447222 has been marked as a duplicate of this bug. ***
Comment 6 Bastien Nocera 2008-04-25 12:51:59 UTC 
We'd need to save the VPN password in one of the keyrings when importing it. The problem is that:
1) we don't load existing passwords from the keyring in auth-dialog/main.c
2) we don't know which keyring we'd need to save the data into if we were to save it in the importer

Seems impossible to fix given the current architecture.