After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 705998 - RFE: nmcli to prompt for "Always Ask" secrets
RFE: nmcli to prompt for "Always Ask" secrets
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: nmcli
0.9.8
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
: 733649 734161 (view as bug list)
Depends on:
Blocks: nm-review
 
 
Reported: 2013-08-14 15:24 UTC by Vincent Batts
Modified: 2016-09-07 18:28 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Vincent Batts 2013-08-14 15:24:21 UTC
For secure token networks, the wireless has a 802.1x that prompts for a one time token (RSA or LinOTP), as well as the VPN connections.
The current nmcli only handles bringing up connections that have saved credentials. I propose that it respect the configurations where fields have "Always ask", to allow passing the value in from the command line.
Either it could be an additional flag or argument, or even a stdin prompt (with the input not echo'ed)
Comment 1 Pavel Simerda 2013-08-14 15:32:51 UTC
+1 from me
Comment 2 Thomas Haller 2014-07-24 18:23:45 UTC
*** Bug 733649 has been marked as a duplicate of this bug. ***
Comment 3 Dan Winship 2014-08-02 13:29:48 UTC
*** Bug 734161 has been marked as a duplicate of this bug. ***
Comment 4 Dan Winship 2014-10-20 14:51:28 UTC
review of jk/nmcli-secret-agent:

> clients: move secret agent to common directory

>-	NmtNewtEntryValidator validator;
>+#if 0
>+	NmcNewtEntryValidator validator;

I was going to say "you can't just remove that, nmtui needs it!", but then I saw that I never actually finished that. The idea was that NmtSecretAgent would provide a callback function that you could use to tell if the provided password was valid or not. [Eg, the right length for a WEP passphrase, or only hex for a hex WEP key.])

We probably do want that functionality at some point, but for now you can just remove it rather than #if 0'ing it. (And remove the existing #if 0 part too.)

>+ * nmc_secret_agent_new:
>+ * @name: tde identifier of secret agent

typo "tde"

>+	../common/nmc-secret-agent.c \
>+	../common/nmc-secret-agent.h \

does that work with srcdir != builddir? I think

    $(srcdir)/../common/nmc-secret-agent.c \

is safer.

Also, does that get disted correctly?



> clients: add real property name to NmcSecretAgentSecret

You could just move the existing "setting" and "property" fields from NmcSecretAgentSecretReal to NmcSecretAgentSecretBase.



> cli: use secret agent for getting passwords from user

>+	static gboolean first = TRUE;
>+
>+	if (first)
>+		g_print ("%s\n", msg);

Why do you only want to print the message once? Is it just to avoid redundancy if the password is incorrect and the user is asked a second time? I don't think printing the message again is bad in that case...

And it's possible to need two unrelated sets of secrets for a single activation (eg, if you have a Wi-Fi connection with a secondary VPN), and you definitely want both messages then.

>+	gboolean bb = FALSE;

no clue what "bb" stands for here...

>+		g_print ("%s\n", _("Warning: nmcli do not ask for password without '--ask' argument."));

"does not"



> cli: add 'passwords' parameter for 'nmcli connection up'

>+	              "  up [[id | uuid | path] <ID>] [ifname <ifname>] [ap <BSSID>] [nsp <name>] [passwords \"<pwd_spec>:<pwd> ...\"]\n\n"

It's not obvious that <pwd_spec> means the property name. Why not just say <property_name>?

>+	              "nsp    - specifies NSP to connect to (only valid for WiMAX)\n"
>+	              "passwords - password(s) required to activate the connection\n\n"));

you should probably realign the "-"s on the lines above this... it looks bad that they're all aligned except the last one.

>+/* E.g. "wifi.psk:tajneheslo 802-1x.password:krakonos" */

passwords can have spaces in them. Maybe it would be better to do

  password wifi.psk:tajneheslo password '802-1x.password:something with spaces'

?

>+				g_print ("%s\n",
>+				         _("Warning: nmcli do not ask for password without '--ask' argument."));

maybe mention the "passwords" argument too?
Comment 5 Jiri Klimes 2014-10-21 12:24:54 UTC
(In reply to comment #4)
> review of jk/nmcli-secret-agent:
> 
> > clients: move secret agent to common directory
> 
> >-	NmtNewtEntryValidator validator;
> >+#if 0
> >+	NmcNewtEntryValidator validator;
> 
> I was going to say "you can't just remove that, nmtui needs it!", but then I
> saw that I never actually finished that. The idea was that NmtSecretAgent would
> provide a callback function that you could use to tell if the provided password
> was valid or not. [Eg, the right length for a WEP passphrase, or only hex for a
> hex WEP key.])
> 
> We probably do want that functionality at some point, but for now you can just
> remove it rather than #if 0'ing it. (And remove the existing #if 0 part too.)
> 
'#if 0' code removed.

> >+ * nmc_secret_agent_new:
> >+ * @name: tde identifier of secret agent
> 
> typo "tde"
Fixed.

> 
> >+	../common/nmc-secret-agent.c \
> >+	../common/nmc-secret-agent.h \
> 
> does that work with srcdir != builddir? I think
> 
>     $(srcdir)/../common/nmc-secret-agent.c \
> 
> is safer.
> 
> Also, does that get disted correctly?
> 
It builds for me in a different directory. But I prepended "$(srcdir)/" as you suggest, it may be more robust. (I am weak in the autohell^H^H^H^Htools.)

> 
> 
> > clients: add real property name to NmcSecretAgentSecret
> 
> You could just move the existing "setting" and "property" fields from
> NmcSecretAgentSecretReal to NmcSecretAgentSecretBase.
> 
I left it as it is for now.
Is NmcSecretAgentSecretReal needed at all?

> 
> > cli: use secret agent for getting passwords from user
> 
> >+	static gboolean first = TRUE;
> >+
> >+	if (first)
> >+		g_print ("%s\n", msg);
> 
> Why do you only want to print the message once? Is it just to avoid redundancy
> if the password is incorrect and the user is asked a second time? I don't think
> printing the message again is bad in that case...
> 
> And it's possible to need two unrelated sets of secrets for a single activation
> (eg, if you have a Wi-Fi connection with a secondary VPN), and you definitely
> want both messages then.
> 
Yes, I preferred to print the message just once when a bad password is given. But you are right that it would have to be done per password. So I changed it to print the message each time for now.

> >+	gboolean bb = FALSE;
> 
> no clue what "bb" stands for here...
> 
Changed to success :)

> >+		g_print ("%s\n", _("Warning: nmcli do not ask for password without '--ask' argument."));
> 
> "does not"
> 
Fixed.

> 
> 
> > cli: add 'passwords' parameter for 'nmcli connection up'
> 
> >+	              "  up [[id | uuid | path] <ID>] [ifname <ifname>] [ap <BSSID>] [nsp <name>] [passwords \"<pwd_spec>:<pwd> ...\"]\n\n"
> 
> It's not obvious that <pwd_spec> means the property name. Why not just say
> <property_name>?
> 
Done.

> >+	              "nsp    - specifies NSP to connect to (only valid for WiMAX)\n"
> >+	              "passwords - password(s) required to activate the connection\n\n"));
> 
> you should probably realign the "-"s on the lines above this... it looks bad
> that they're all aligned except the last one.
> 
Done. I wonder if we should describe the passwords here in more detail. 

> >+/* E.g. "wifi.psk:tajneheslo 802-1x.password:krakonos" */
> 
> passwords can have spaces in them. Maybe it would be better to do
> 
>   password wifi.psk:tajneheslo password '802-1x.password:something with spaces'
> 
> ?
Yes, passwords can contain abritrary characters. So I thought of having user specify a delimiter not contained in passwords himself.
I have added a commit doing this via "delim:<char>" prefix to 'passwords' option.

> 
> >+				g_print ("%s\n",
> >+				         _("Warning: nmcli do not ask for password without '--ask' argument."));
> 
> maybe mention the "passwords" argument too?
I rephrased the message to:
g_printerr (_("Warning: password for '%s' not given via 'passwords' "
              "and nmcli cannot ask without '--ask' option.\n"), secret->prop_name);

Branch is rebased to master and re-pushed.
Comment 6 Dan Winship 2014-10-29 13:59:30 UTC
(In reply to comment #5)
> > Also, does that get disted correctly?

It looks like the answer to that is yes, but "make dist" fails anyway because you need to update po/POTFILES.in for the renamed file.

> > You could just move the existing "setting" and "property" fields from
> > NmcSecretAgentSecretReal to NmcSecretAgentSecretBase.
> > 
> I left it as it is for now.
> Is NmcSecretAgentSecretReal needed at all?

The idea behind the Real/Base split was that we might someday make this public API (since it's now shared by nmtui and nmcli, and it's based on the gnome-shell secret agent code), and the secret agent internals need to keep track of some information that the API users don't need to know about.

Keeping it as-is for now is fine.

> Yes, passwords can contain abritrary characters. So I thought of having user
> specify a delimiter not contained in passwords himself.
> I have added a commit doing this via "delim:<char>" prefix to 'passwords'
> option.

That seems like an awkward way to do it, and makes it difficult to use programmatically. (If you want to call nmcli and pass a user-provided password, you'd have to scan the password to find a character that it doesn't use to use as the delimiter character...)

Though I guess that since the password would be visible in "ps" for the entire time it takes the connection to activate, people are only going to use this option with passwords they don't really care about anyway, which means the password is probably going to be along the lines of "pass123", not "foo < $bar!&,"
Comment 7 Jiri Klimes 2014-10-30 10:04:41 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > > Also, does that get disted correctly?
> 
> It looks like the answer to that is yes, but "make dist" fails anyway because
> you need to update po/POTFILES.in for the renamed file.
> 
Good catch! po/POTFILES.in updated now.

> > > You could just move the existing "setting" and "property" fields from
> > > NmcSecretAgentSecretReal to NmcSecretAgentSecretBase.
> > > 
> > I left it as it is for now.
> > Is NmcSecretAgentSecretReal needed at all?
> 
> The idea behind the Real/Base split was that we might someday make this public
> API (since it's now shared by nmtui and nmcli, and it's based on the
> gnome-shell secret agent code), and the secret agent internals need to keep
> track of some information that the API users don't need to know about.
> 
> Keeping it as-is for now is fine.
> 
Ok, I understand the split now.

> > Yes, passwords can contain abritrary characters. So I thought of having user
> > specify a delimiter not contained in passwords himself.
> > I have added a commit doing this via "delim:<char>" prefix to 'passwords'
> > option.
> 
> That seems like an awkward way to do it, and makes it difficult to use
> programmatically. (If you want to call nmcli and pass a user-provided password,
> you'd have to scan the password to find a character that it doesn't use to use
> as the delimiter character...)
> 
Putting passwords (strings with arbitrary special characters) on command line can be a problem anyway, because it may require various escape magic for shell processing. But, in general, offering a delimiter, allows users a way for providing more-or-less any password.

> Though I guess that since the password would be visible in "ps" for the entire
> time it takes the connection to activate, people are only going to use this
> option with passwords they don't really care about anyway, which means the
> password is probably going to be along the lines of "pass123", not "foo <
> $bar!&,"
I have added a note to the manual page that putting password on command line is not recommended for top secret passwords.

Anyway, we should enable a password storage (probably an integration with libsecret) for nmcli/nmtui in future which would make 'passwords' option unnecessary.

Branch rebased to latest master.
Comment 8 Thomas Haller 2014-10-31 10:41:12 UTC
>> clients: move secret agent to common directory
    
> The agent code will be shared by both nmtui and nmcli.

What secrets a connection has is hard coded. Instead of libnm telling which properties are secrets, for example using NM_SETTING_PARAM_SECRET.
But well...


>> cli: use secret agent for getting passwords from user

+    if (nmc->ask) {
+         success = get_secrets_from_user (request_id, title, msg, secrets);
+    } else {
+         g_print ("%s\n", msg);
+         g_print ("%s\n", _("Warning: nmcli does not ask for password without '--ask' argument."));
+    }

I think nmcli should silently ignore password requests when called without --ask (instead of issuing a warning). Possibly, when called without --ask, nmcli should not even register a password agent.

Usually, you already have nm-applet running which gets the password from the keyring. Hence, the warning is not helpful (and wrong).


Maybe we could extend --ask to have --ask, --no-ask and --ask-tty. --ask works as it does now. --no-ask works as the current default. --ask-tty would work as --no-ask, except for passwords it would ask for them *only* when connected to a terminal.


>> cli: allow spaces in secrets inside 'passwords' option
>> cli: add 'passwords' parameter for 'nmcli connection up'

I don't think delim: is a good idea. As danw said, for a script it is very hard to escape a password. Why not escape everything with '\'? It makes it easy to escape from scripts?

But then again, combining different passwords in one command line argument makes it again hard for the script. And it also makes it very hard for bash-completion to do anything useful (especially, together with 'delim:').

I think it be much better to accept multiple password arguments separately:

   nmcli connection up ID password <SETTING.PROPERTY1> <PASSWD1> password <SETTING.PROPERTY2> <PASSWD2> ...

this way, you don't need any escaping. And bash completion can (relatively) easily complete to <SETTING.PROPERTY1>.




For always-ask passwords (two-factor-auth), providing the password on command line is indeed useful. But it is also terribly insecure. Thinking about it again: I think we should not encourage and support that.

I strongly vote for dropping this functionality entirely because many users are not aware that password can be seen with `ps` and that it ends up in the bash-history.

Passing the passwords via environment is a bit secure. At least only root and the user can read /proc/$$/environ. But even that is not great.

Why not reading it from a file descriptor instead?
Comment 9 Jiri Klimes 2014-11-03 14:40:13 UTC
(In reply to comment #8)
> >> clients: move secret agent to common directory
> 
> >> cli: use secret agent for getting passwords from user
> 
> +    if (nmc->ask) {
> +         success = get_secrets_from_user (request_id, title, msg, secrets);
> +    } else {
> +         g_print ("%s\n", msg);
> +         g_print ("%s\n", _("Warning: nmcli does not ask for password without
> '--ask' argument."));
> +    }
> 
> I think nmcli should silently ignore password requests when called without
> --ask (instead of issuing a warning). Possibly, when called without --ask,
> nmcli should not even register a password agent.
> 
> Usually, you already have nm-applet running which gets the password from the
> keyring. Hence, the warning is not helpful (and wrong).
> 

Well, the warning is not wrong. It says the user that he won't be asked without --ask. What was wrong was that next agent was not asked. It is fixed now.

> 
> 
> >> cli: allow spaces in secrets inside 'passwords' option
> >> cli: add 'passwords' parameter for 'nmcli connection up'
> 

I have changed that to use 'passwd-file <filename>' instead to provide passwords.
Comment 10 Dan Winship 2014-11-06 19:35:04 UTC
maybe mention in nmcli.1 that --ask controls password prompting too now?

Actually, maybe clarify that if NM needs a password, then (1) if you passed --ask, then nmcli will ask you for the password, but (2) if you didn't pass --ask, but are running a GUI secret agent (such as nm-applet or gnome-shell), then NM will ask for the password via that agent.
Comment 11 Dan Williams 2014-11-07 04:31:11 UTC
The code looks good to me.  I also took a second to figure out the --ask vs. GUI behavior, so would be good to document.  The rest is good!
Comment 12 Jiri Klimes 2014-11-07 12:31:54 UTC
I changed the "Nm" prefix to "NM" and put some clarificatios regarding --ask to the manual page. Thanks for reviewing.

Commits in master:
847e2a4 merge: use NM secret agent in nmcli when connecting to networks (bgo #705998)
252c8bf man: document/clarify --ask option in relation to password prompting
3c9b867 cli: add 'passwd-file' option for 'nmcli connection up' to provide passwords
de7f85b cli: use secret agent for getting passwords from user
b41cb60 clients: add real property name to NNSecretAgentSimpleSecret
801fc34 clients: move secret agent to common directory
Comment 13 Jiri Klimes 2014-11-11 12:52:31 UTC
Reopen for a fix, branch: jk/nmcli-ask-pwd-fix

When nmcli connection up eth-profile is called nmcli could ask for secrets for another profile, which might confuse user. Improve that by checking whether the request is for the activating connection.
Comment 14 Dan Winship 2014-11-11 14:29:51 UTC
Yeah. Although, nmtui should behave the same way, so maybe nm_secret_agent_simple_new() should take an optional NMConnection argument and do the filtering itself?
Comment 15 Thomas Haller 2014-11-11 15:45:36 UTC
-         secrets_data->connection = connection;
+         secrets_data->connection = g_object_ref (connection);

(and unref likewise).

Actually, I wouldn't even pass on the NMConnection reference. Just g_strdup(nm_object_get_path()).




Re: I still strongly dislike the warning
  "Warning: password for '802-1x.identity' not given in 'passwd-file' and..." 

It happens now whenever NM needs secrets, although I have nm-applet running. Indeed I run `nmcli conn up` without --ask, because I want nm-applet to provide the secrets.

It is enough to document that interactive password input requires --ask.




Rest looks good.
Comment 16 Jiri Klimes 2014-11-11 15:56:29 UTC
(In reply to comment #14)
> Yeah. Although, nmtui should behave the same way, so maybe
> nm_secret_agent_simple_new() should take an optional NMConnection argument and
> do the filtering itself?

Done and pushed to jk/clients-secrets-ask-fix.
Comment 17 Dan Winship 2014-11-11 16:50:56 UTC
looks good
Comment 18 Jiri Klimes 2014-11-12 12:50:30 UTC
a928ce8 clients: only handle secret requests for connection being explicitly activated
pushed to master

I will yet look into the warning thing, leaving the bug open for it.
Comment 19 Thomas Haller 2016-09-07 18:28:32 UTC
ok, let's close this. Seems everybody is fine with the warning.