GNOME Bugzilla – Bug 436382
network-manager-vpnc can't connect if at least one of password or group password is missing
Last modified: 2008-11-14 16:57:19 UTC
Steps to reproduce: 1. connect to a VPN where you don't need either user password or group password 2. network-manager-vpnc assert: CRITICAL **: nm_vpnc_config_write: assertion `num_passwords == 2' failed 3. NetworkManager process crash with WARNING (recursed) **: <WARNING> nm_signal_handler (): Caught signal 6. Generating backtrace... Stack trace: More info can be found here: https://bugs.launchpad.net/bugs/92570 A simple fix would be not to force the fact of having to supply to password as obviously some people do not have to supply both Other information:
Created attachment 87659 [details] [review] fix num password assert fix numpassword==2 assert (simply comment out the assert as some people might not need to supply both password).
I was wondering if it was better to change the assert to num_passwords >= 1 or simply comment it out. I just thought that some people might in some case not require any passwords and therefore I simply commented the assert out.
Comment on attachment 87659 [details] [review] fix num password assert >--- src/nm-vpnc-service.c 2007-03-06 15:08:43.000000000 +0000 >+++ src/nm-vpnc-service.c.new 2007-05-05 16:27:37.000000000 +0100 >@@ -442,7 +442,7 @@ > g_return_val_if_fail (user_name != NULL, FALSE); > g_return_val_if_fail (password_items != NULL, FALSE); > g_return_val_if_fail (data_items != NULL, FALSE); >- g_return_val_if_fail (num_passwords == 2, FALSE); >+/* g_return_val_if_fail (num_passwords == 2, FALSE); */ > > write_config_option (vpnc_fd, "Script " NM_VPNC_HELPER_PATH "\n"); > write_config_option (vpnc_fd, "UDP Encapsulate\n"); This will not be pretty though if we only get 1 item, and a few lines down (not visible in your patch) there is: write_config_option (vpnc_fd, "IPSec secret %s\n", password_items[0]); write_config_option (vpnc_fd, "Xauth password %s\n", password_items[1]); where we fully expect to have 2 passwords. Bad stuff will happen. Can you have an IPSec secret but no Xauth? And vice versa? Can you have neither? Need to figure out the valid combinations...
Hi Christopher, Looking at that bug on launchpad, https://bugs.launchpad.net/bugs/92570 , it seems that some people need not to supply a group password or a user password. I agree that is a dirty hack, but it seems that password_items are empty strings (initialized by dbus_message_get_args ). I don't have a clue if "Xauth password" header should be send over even if password_items[1] is empty, but it does work for Tom (see his comment @ https://bugs.launchpad.net/bugs/92570 , comment before last )
Hey guys! What's the status of this? I just stumbled across the bug and searched for a report on it. I loved to see, how easy it was to connect to VPN with the NetworkManager and its applet, until the moment, that it just crashed on me. After reading this report I tried what happend if I just entered some made up Group Password. Well, didn't quite do the job of connecting, but at least no more crash. Looking forward to this issue being sorted out. Cheers! David
OK, actually I found out something more now: The pcf file offered by my university offers a encrypted password enc_GroupPwd= ... I assume that the standard Cisco client sends this, while the network-manager-vpnc just ignores it on import. Maybe the others also just don't know, that they need a Group Password, because it's inlcuded in their pcf. Cheers! David
OK, just to sum up: I got the Group Password and everything works fine.
It is possible to decode the scrambled group password: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode Can we integrate that into the .pcf Import?
As the sourcecode is supplied directly online, I guess it could be a piece of cake to integrate it network-manager-vpnc. Would be great, will same some hassle to the less experienced
typo edit: will save some hassle and not will same some ...
I am quite new to C but I think I found the part where we could add some code: http://svn.gnome.org/viewcvs/NetworkManager/trunk/vpn-daemons/vpnc/properties/nm-vpnc.c?view=markup line 583 import_from_file It is possible to read the scrambled group_password from the file, decrypt it with http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c but there is no field for it in the configuration dialog. I don't know how to hand it over to the GNOME keyring-manager, so that it's already filled in on first connect. Is this even possible?
Yes, the decryption functionality could be integrated into the pcf import code.
*** Bug 483450 has been marked as a duplicate of this bug. ***
Are you sure that you need to add decrypt functionality? because vpnc command line access can use an appropriate conf file just fine. my default.conf file (hiding my gateway for security purposes): IPSec gateway xxx.xxx.xxx.xxx IPSec ID secureid IPSec obfuscated secret A78498DB65105D4B1A6ED7167D9CD8FAAC7FA9BE98DD3A3E338261F31FA14C9B4E1053CA8A8A15BD2439C52550592C8E84BB2A64F31F1698 # IPSec secret myGroupPWD Xauth username jburdick this connects just fine with "sudo vpnc" so I don't think you need to add decrpyt: instead, just for this variable from the pcf: enc_GroupPwd=A78498DB65105D4B1A6ED7167D9CD8FAAC7FA9BE98DD3A3E338261F31FA14C9B4E1053CA8A8A15BD2439C52550592C8E84BB2A64F31F1698 copy it to (all one line) IPSec obfuscated secret A78498DB65105D4B1A6ED7167D9CD8FAAC7FA9BE98DD3A3E338261F31FA14C9B4E1053CA8A8A15BD2439C52550592C8E84BB2A64F31F1698 in the pcf importer. this seems much easier. actually, look at this http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc. it has the code to grab enc_GroupPwd looking at the link Matthias sent out, there is no good place to grab enc_GroupPwd in the import_from_file method, because the struct NetworkManagerVpnUIImpl does not have a field for it. we should probably add field imports for both GroupPwd and enc_GroupPwd
I think I got it: The GroupPwd has to be imported from the pcf-file http://svn.gnome.org/viewcvs/NetworkManager/trunk/vpn-daemons/vpnc/properties/nm-vpnc.c then unscrambled using http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c and stored in the GNOME Keyring Manager and prefilled into the auth-dialog http://svn.gnome.org/viewvc/NetworkManager/trunk/vpn-daemons/vpnc/auth-dialog/main.c so that the user can simply add his personal password. I would like to help and learn some coding using GNOME and C, but I am currently even stuck at some basics: >configure: error: Package requirements (libnl-1 >= 1.0-pre8) were not met: >Requested 'libnl-1 >= 1.0-pre8' but version of libnl is 1.0-pre6 when trying to compile latest trunk sourcecode in Ubuntu 7.10 :(
Hi, I just would like to ping this bug. I seems that some people are hitting the issue. I have not read the protocol spec, but it seems that it might happens that the group password is optionnal. People in https://bugs.launchpad.net/bugs/92570 are unable to use nm-vpnc because of this bug. Shouldn't the assert be removed?
From 92570, it seems that Ryan says his user password is not required, but that the group password is required. I've seen one reference state that they used vpnc in Single DES mode without any Xauth stuff. The problem is that since most people use vpnc with Xauth passwords, and removing the checks for passwords would mean the password dialog would never come up, we can't do that until we implement more intelligent handling of vpnc's requests via stdout/stdin parsing. Thus it breaks the majority use-case of importing a connection and being asked for your passwords on the first connection attempt.
*** Bug 533960 has been marked as a duplicate of this bug. ***
duping to 346547, because we now support group password import, and the password handling in 0.7 has been fixed up to allow blank group or user passwords, or to be asked every time. *** This bug has been marked as a duplicate of 346547 ***