GNOME Bugzilla – Bug 331529
[enh] system-wide config to stop annoying keyring-on-login dialog
Last modified: 2009-11-14 09:34:56 UTC
If you are using Network Manager by default on one (or more) encrypted wifi network, you must unlock the gnome-keyring each time you boot the computer. So far, the WEP key was stored in plain text in /etc/network/interfaces wich is world readable. It is assumed that, if someone has access to your computer, he can access your network. Requiring an user action at each start before connecting you is not user friendly at all and very boring. It's also a problem when you want your computer to start and start automatically some actions like checking your feeds and your emails. I suggest then that NM stores WEP keys in a plain text file, storing in gnome-keyring-manager would be an option.
Text file isn't going to work. The point of putting the keys in the keyring is to make sure they are encrypted, and that only the user him/her-self can grant access to them to NetworkManager. This is a valid bug, make no mistake; and it will be fixed sometime in the NetworkManager 0.7-> release cycle (later this year). But it's going to be fixed by allowing users to make configurations for certain networks "system-wide", and available to all users on the system. Then, to not be prompted for that dialog, you must make your config system-wide. The other solution to this problem is to tie the keyring in with the login sequence, such that your keyring will be unlocked on login. Given that that is possibly a security issue, a combination of these two approaches will likely give the best tradeoff between annoyance and security.
system-wide config will be implemented during the 0.7 work phase and should take care of this.
*** Bug 337735 has been marked as a duplicate of this bug. ***
When connecting to the keyring with gnome-panel, I've seen it say "Always allow", such that when I connect to a remote server now, it no longer asks me for my keyring password. Is it possible for NM to get some access like this?
Also see: https://launchpad.net/distros/ubuntu/+source/network-manager/+bug/34898
JFYI, I got pam-gnome-keyring to work: http://uwstopia.nl/blog/2006/08/password-hell-gdm-ssh-gnome-keyring http://uwstopia.nl/blog/2006/08/password-hell-part-ii
*** Bug 404130 has been marked as a duplicate of this bug. ***
*** Bug 444599 has been marked as a duplicate of this bug. ***
A system-wide config is also required for a system that authenticates users using (for example) Kerberos over the network. NetworkManager is useless in many cases because the network is not available until after a user logs in.
Bump. This would be nice. I'd like to suggest the first network the user connects to should automatically be system-wide, as that's usually what they'll intend (anyone unpacking a laptop in their local starbucks will know what they're doing). As a matter of fact - especially if we're talking about laptops or home desktops here - shouldn't the default setting for non-VPN networks be system-wide? Martin PS - Stating the obvious but maybe the target milestone should be updated - I guess this didn't get in to 0.7 as I'm using it on fc8 and don't see anything.
*** Bug 405587 has been marked as a duplicate of this bug. ***
*** Bug 444607 has been marked as a duplicate of this bug. ***
*** Bug 503129 has been marked as a duplicate of this bug. ***
I almost made a duplicate of this bug. I also must say I think this is far more than a enhancementl but a SECURITY ISSUE as an admin may not want a user to know the WEP key for a network but doesnt what to deny untrustworthy users access to their keyring (witch would other wise be fine to let an untrustworthy user access, because it was only meant to contain user local data).
*** Bug 505502 has been marked as a duplicate of this bug. ***
The system settings service has been in SVN trunk for a while and works pretty well for Fedora. There's also an OpenSUSE system settings plugin. Other distros will need plugins that coerce their normal network config files (like /etc/network/interfaces) into connections NM can use.
Has it occurred to anybody that Notebooks are often used by multiple users, and that it might not be an option to have just anybody using it to be logged into private hotspots automatically ? There should at least be a warning to that end, informing people that their security goes down the drains when using NetworkManager. See https://bugzilla.novell.com/show_bug.cgi?id=396193
Mr/Miss/Mrs "Programmer" That is an absolutely ridiculous argument. What is actually at failing here in the first place is that NM makes network connections *appear* to be per-user, in that it takes a user's personal configuration and action (even if automatically on login) to initialise the connections. The fact that it does not disconnect on logout is NOT the problem. Linux does not support per-user networking in any setup I'm familiar with, and even if it did (it may do, maybe based on SE), there is no way any 802.11 driver would let you have more than one connection active, meaning that users would have to be granted exclusive access to the radio, and that system-wide services would not be able to use the connection ("Which user's networking system do I use? Am I even allowed?") To suggest that "security goes down the drain" would be plain wrong. If you weren't using N-M, having someone log on to the private network would make it available to everyone else on the system anyway. You're not losing anything. I'm afraid the real fix here is to drop the charade and go with system-wide configuration as the default, and drop per-user configuration for all but VPN use, as that is something that /can/ be made to be per-user with finite effort. Also, why the alias?
As always grateful for detailed explanations, thank you. In fact security is going down the drains, as people are mislead to believe in things ( per user networking ) that aren't there, you name it correctly "charade" What I am complaining about might be more openSUSE related. There you configure WLAN credentials for use with ifup ( which _is_ systemwide ). What one is not being made aware of, is that changing the yast2 lan setting from ifup to NetworkManager makes the NetworkManager secretly ( without making you aware of it ) use the NIC settings, when one would expect a per user setting. True, you can remove the NIC settings, but why should you be forced to enter and delete settings while switching between ifup and NM ? > Also, why the alias? Why not ? :-)
(In reply to comment #19) > > Also, why the alias? > Why not ? :-) Because it's annoying to speak to people who refuse to tell who they are. Especially when you're complaining about security.
OK, understood, although it's somewhat off topic: If I posted as Karl or Bill or Gretchen it would make you feel better. The issue would remain the same. You wouldn't know if I were I and what's between my ears just the same.
(In reply to comment #21) > OK, understood, although it's somewhat off topic: > If I posted as Karl or Bill or Gretchen it would make you feel better. [even more off-topic] At least we now know your mother tongue is German(ic). Heh ;)
You are attempting to connect to a wireless network. Cancel or allow?
I have installed openSUSE 11.1 final, and this issue appears to be back, not only am I challenged with the keyring password for NetworkManager but also Evolution.