GNOME Bugzilla – Bug 565948
No support for obfuscated passwords
Last modified: 2009-01-14 18:20:17 UTC
The password fields should support obfuscated passwords that way they do not have to be decrypted to plain text before the vpnc module can use them. Maybe a checkbox such as "Use Obfuscated Passwords" should be available? Other information: The system admins at my college will not support the vpnc module and do not want anyone using it because folks have to first decrypt their group password. They would rather keep it encrypted. I understand that the vpnc client comes with a command-line tool that will decrypt the password, but the admins would rather have documentation that tells the user to simply use a pcf file they have designed to extract the information for the vpnc module, not change the values into clear text first. Alternatively, a location for the vpnc conf file would be good, then they could just have the users download it to a particular location on their hard drive.
One last note, if the alternative solution of a conf file that the admins could have users download in order to setup the vpnc module, it should also allow obfuscated passwords. Otherwise, they won't use it.
Support for importing obfuscated passwords from PCF files was added on 2008-11-03 and made the NM-vpnc 0.7.0 release. *** This bug has been marked as a duplicate of 547582 ***
I would disagree about obfuscated passwords being supported. The reason for this is because when I try to import a PCF file, everything does import -- except my passwords. When I manually enter the obfuscated password into the group password field, it accepts it. However, when I try to connect, I get an error: VPN Connection Failed The VPN connection "<my VPN>" failed because of invalid VPN secrets. I have verified that the obfuscated password that I'm entering into the group password field is typed in correctly. I have also used VPNC to connect to the VPN using that obfuscated password and it works. When I decrypt the group password and enter it as clear text in NM, it works fine. I suspect that NetworkManager doesn't know how to tell the difference between an obfuscated password and a clear text one. Therefore, it is just using the command "IPSEC Secret" instead of "IPSEC obfuscated secret" in the VPNC conf file that I assume it is generating. Which is why I suggested a checkbox along the lines of "Use obfuscated password". By checking it, NM would use the "IPSEC obfuscated password" parameter in the VPNC conf file.
What exact svn revision of NM-vpnc are you using? Does your PCF file contain the enc_GroupPwd key with a long string of hex numbers? What version of the Cisco tool was the PCF file created with? Do you have the 'cisco-decrypt' binary installed, which is normall shipped with vpnc, and if so, where on your system does it live? I have just tried importing a PCF file using an encrypted group password, and it certainly does decrypt the obfuscated group password correctly.
Thanks for the response. Here is the information you are seeking: What exact svn revision of NM-vpnc are you using? I'm using the one that comes with Ubuntu 8.10. Ubuntu lists the version as: 0.7~~svn20081015t024626-0ubuntu1 I suspect that the "svn20081015t024626" portion of the Ubuntu version number is what you are looking for. Does your PCF file contain the enc_GroupPwd key with a long string of hex numbers? Yes, enc_GroupPwd is there and it has the encrypted key set. What version of the Cisco tool was the PCF file created with? I do not know for sure, but I know that the VPN network is new for my University, so it can't be older than v4.6, but most likely v4.8 Do you have the 'cisco-decrypt' binary installed, which is normall shipped with vpnc, and if so, where on your system does it live? Yes, I do. It is at: /usr/lib/vpnc/cisco-decrypt
Ok, you'll want to have your distribution upgrade it's vpnc package to the actual 0.7 release. Ubuntu shipped a pre-release version that doesn't have the decrypt capability. The code went into network-manager-vpnc on 2008-11-03.
Ok, I'll look into having nm-vpnc upgraded through my distro. However, that doesn't take care of the other part of my issue. The solution nm-vpnc is currently providing takes the obfuscated password and DECRYPTS it as part of the pcf import process. This means I can go into the VPN configuration in NetworkManager and see the clear text password displayed in my settings. My admins will not accept this. They will want it to forever and always appear to the end-user as encrypted. I'm looking for the addition of the feature that nm-vpnc does not decrypt the password as part of the import process. The end-user should always see the password as encrypted -- whether it be in the pcf file or as part of the VPN settings within NetworkManager. nm-vpnc should be capable of using the obfuscated password to initiate logon to the vpn network. I've been looking at the code for this module and it appears that it has been designed to spawn the vpnc service without any defined attributes. Since vpnc will prompt for these attributes if they are not defined on the command-line, I'm assuming the DBus is being used to pass these settings in the proper order to the pid that vpnc is using. If this is the case, I see two possible options that would work to add the functionality of using obfuscated passwords from within nm-vpnc: 1) nm-vpnc would call cisco-decrypt during login to the vpn network rather than the pcf file import process. This would mean that the password would be passed to vpnc via the DBus as clear-text, but that would not be something that is visible to the end-user, thus, my admins would accept this. 2) The maintainer for VPNC could be asked to support a "--obfuscated" command-line switch that would cause VPNC to expect an encrypted password when it prompts for one. This would mean that nm-vpnc could just pass the encrypted password to VPNC without having to do anything, VPNC would handle the password correctly. Either solution does mean nm-vpnc would need a checkbox called something like "Use obfuscated password" in order for this to work. In the first solution, the checkbox would cause nm-vpnc to call cisco-decrypt before passing the password on to VPNC. In the second scenario, the checkbox would cause nm-vpnc to add the "--obfuscated" switch when the VPNC process is spawned. Would either of these solutions work and fit within the construct of how the development of the module is being envisioned? I thank you for your attention to this matter.
The user could, at any point, run cisco-decrypt on the encrypted password and get the unencrypted group password anyway. Or you can paste it into a website that will decrypt it for you. Storing the group password encrypted (if you can call it that, it's a trivial obfuscation) doesn't increase security at all. Furthermore, the group password is stored *encrypted* in the Gnome Keyring and thus unless you as the user explicitly authorize an application to access it, it will not be accessible. What you *can* do with NM-vpnc is to have NetworkManager always ask you for both passwords. If you do this, the password (encrypted or decrypted) is only stored in your brain. The problem here is that adding "obfuscated password" text entry boxes to the vpnc dialog is less usable for exactly zero security gain. No user needs to (or should have to) know the difference between an obfuscated password and a non-obfuscated password, or even know what the word "obfuscated" really means. A better suggestion (assuming the problem is actually valid) is to have the connection editor always show stars for the password fields when it reloads them, like the iPhone does with the Cisco VPN client. The stars get cleared when you click in the field to edit the password. In any case, if that's desirable behavior, a different bug should be opened for that since this one is in fact fixed... Thanks for the info!