After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 495893 - [enh] Add Hybrid auth capability
[enh] Add Hybrid auth capability
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: vpnc
git master
Other All
: Normal enhancement
: ---
Assigned To: Dan Williams
Dan Williams
: 564475 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2007-11-11 15:48 UTC by Steffen Röcker
Modified: 2012-03-09 17:46 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
hybrid auth support for config options validate (1.31 KB, patch)
2007-11-11 15:49 UTC, Steffen Röcker
none Details | Review
improved patch with properties dialog entries (60.05 KB, patch)
2007-11-16 22:33 UTC, Steffen Röcker
none Details | Review
validates config hybrid options (1.63 KB, patch)
2008-11-01 09:43 UTC, Steffen Röcker
none Details | Review
adds code for gui (2.07 KB, patch)
2008-11-01 09:44 UTC, Steffen Röcker
none Details | Review
patches the glade file (20.43 KB, patch)
2008-11-01 09:45 UTC, Steffen Röcker
none Details | Review
adds code for gui (fixed) (2.08 KB, patch)
2008-11-16 19:06 UTC, Steffen Röcker
none Details | Review
add code for gui (fix for NM 0.7rc2) (1.97 KB, patch)
2008-11-18 13:56 UTC, Sébastien Mazy
none Details | Review
Updated patch (11.66 KB, patch)
2009-12-02 10:08 UTC, John Haxby
none Details | Review
Updated patch for v. 0.9-rc2 (14.49 KB, patch)
2011-05-18 09:09 UTC, Gustav Munkby
none Details | Review

Description Steffen Röcker 2007-11-11 15:48:08 UTC
vpnc supports hybrid authentication since version 0.5.
network-manager-vpnc has no option to use hybrid authentication.

Even though you have to manually compile vpnc with hybrid auth support because of licensing issues, many users, especially students, would be glad to have a nice interface.

I made a very simple patch that validates the config options manually set in gconf: /system/networking/vpn_connections.

It would be nice if someone could patch nm-vpnc-dialog to let the user enable hybrid authentication and choose a CA-File.

Regards,
Steffen
Comment 1 Steffen Röcker 2007-11-11 15:49:22 UTC
Created attachment 98916 [details] [review]
hybrid auth support for config options validate
Comment 2 Steffen Röcker 2007-11-16 22:31:46 UTC
I patched the properties dialog myself, but I don't know if it's HIG conform or builds correctly.

Users now can choose to use hybrid authentication and enter the path of a CA File. (a file-chooser button would be nice).

I appology, that the .glade part of the patch is a bit messy.
Comment 3 Steffen Röcker 2007-11-16 22:33:16 UTC
Created attachment 99227 [details] [review]
improved patch with properties dialog entries
Comment 4 Steffen Röcker 2008-11-01 09:43:42 UTC
Created attachment 121766 [details] [review]
validates config hybrid options

network-manager-vpnc-0.7~~svn20081015t024626
Comment 5 Steffen Röcker 2008-11-01 09:44:55 UTC
Created attachment 121767 [details] [review]
adds code for gui
Comment 6 Steffen Röcker 2008-11-01 09:45:45 UTC
Created attachment 121768 [details] [review]
patches the glade file

adds a ca_file_entry and enable_hybrid_checkbutton widget
Comment 7 Steffen Röcker 2008-11-16 19:06:59 UTC
Created attachment 122811 [details] [review]
adds code for gui (fixed)
Comment 8 Sébastien Mazy 2008-11-16 19:56:55 UTC
Hi Steffen,

Your patch does not compile anymore:
nm-vpnc.c: In function 'init_plugin_ui':
nm-vpnc.c:509: error: 'NMSettingVPN' has no member named 'data'
nm-vpnc.c:519: error: 'NMSettingVPN' has no member named 'data'
nm-vpnc.c: In function 'update_connection':
nm-vpnc.c:668: error: 'NMSettingVPN' has no member named 'data'
nm-vpnc.c:676: error: 'NMSettingVPN' has no member named 'data'

This is probably due to:
http://svn.gnome.org/viewvc/NetworkManager/trunk/libnm-util/nm-setting-vpn.h?r1=4031&r2=4232

Anyway, I'm looking forward to see this integrated (uni vpn requires that). Thanks for your work!
Comment 9 Sébastien Mazy 2008-11-18 13:56:04 UTC
Created attachment 122940 [details] [review]
add code for gui (fix for NM 0.7rc2)

Attached is a patch 02 slightly modified to work with NM 0.7rc2.
Comment 10 Sébastien Mazy 2008-11-18 14:19:39 UTC
By the way, may I suggest a few UI modifications?

- replace the check box by a combo box with the label: "Authentication:" and options: "Pre-shared key (default)" and "Hybrid (with server certificate)"
- move this combo box before username (first row)
- move the CA-File field right under domain
- replace the current CA File field by the same used in 802.1X tab (with browse facility) so as to be consistent (and rename the label "CA certificate")
- align all labels on the left
Comment 11 Sébastien Mazy 2008-11-18 15:05:41 UTC
Just for the record: import and export vpn settings does not use the new hybrid auth feature yet
Comment 12 Constantin Bergemann 2008-12-14 18:36:59 UTC
*** Bug 564475 has been marked as a duplicate of this bug. ***
Comment 13 Dan Williams 2009-04-24 11:14:21 UTC
Example hybrid auth config for reference.

IPSec ID hybrid-default
IPSec XXXXXXXXXXXXXXXXX
IPSec obfuscated secret XXXXXXXXXXXXXXXXXXXXXX
IKE Authmode hybrid
ca-file /etc/vpnc/rootcert.pem
Cisco UDP Encapsulation Port 14195
Xauth username XXXXXXXXXXXXX
Xauth password XXXXXXXXXXXXX
Comment 14 Dan Williams 2009-04-30 19:31:50 UTC
I'm blocking these patches on a way to legally enable hybrid auth mode in vpnc, since linking to openssl clearly isn't a viable option due to the licensing issue.

That said, I ported vpnc over to gnutls this weekend, so that should allow *all* distros to legally ship hybrid auth support (if anyone is currently shipping hybrid auth support, they are doing so illegally).  From the point on that I commit the hybrid auth patches to git, NM-vpnc will expect a hybrid-auth-enabled vpnc.

The patches are almost ready to go upstream but since vpnc upstream is somewhat, umm, slow and inactive, it may take a while to get out in a real release.  Until then, distros would have to apply the patch manually.

In any case, I'd really like some help testing that patched vpnc from those of you who have access to hybrid-auth enabled concentrators.  Anyone willing?  I need to make sure that (a) the openssl cert code didn't break, and that (b) the new gnutls cert code actually works correctly. 
Comment 15 Steffen Röcker 2009-05-01 18:39:50 UTC
Thanks Dan, you should get an award for this.
I am willing to test your patches. Where can I get them?
Comment 16 Dan Williams 2009-08-19 20:04:39 UTC
Cisco Hybrid Auth support using gnutls is now committed to upstream vpnc SVN trunk in r416.  Can somebody test this out with plain vpnc and make sure it works with your network?
Comment 17 Sven 2009-10-17 10:21:12 UTC
(In reply to comment #16)
> Can somebody test this out with plain vpnc and make sure it works with your network?


I just tested SVN revision 446. It worked with my university VPN which uses hybrid auth. Thanks!
Comment 18 Dan Williams 2009-10-21 22:00:51 UTC
Hell yeah :)  Glad to know it works.  Back to assigned to work on the NM-vpnc side.
Comment 19 Sven 2009-11-17 20:06:59 UTC
(In reply to comment #18)
> Hell yeah :)  Glad to know it works.  Back to assigned to work on the NM-vpnc
> side.

You will be glad to hear, that a current SVN snapshot of vpnc has been added to Gentoo Linux: http://www.gentoo-portage.com/net-misc/vpnc

So now everything I'm patiently waiting for, is for networkmanager to support it ;-)
Comment 20 John Haxby 2009-12-02 10:08:18 UTC
Created attachment 148886 [details] [review]
Updated patch

This is a patch against the Fedora 12
NetworkManager-vpnc-0.7.996-4.git20090921.fc12

It's slightly different to the previous patches not least because the previous patches were against an older version.  It also adds an "Application Version" field because some Cisco VPN installations are very picky about what the client claims is its version (I'll leave it to you to guess one example).

I'm not entirely happy about the layout of the dialog box but I'm not sure what is wrong with it.  I know that the username isn't optional but it does have a default value and that the default for NAT Traversal is different to the vpnc default, but it's not just that -- the layout just feels messy but I haven't sat down and worked out what would look better.
Comment 21 Sven 2010-01-28 16:08:33 UTC
I would like to know, whether there are any news on this subject. Is hybriud auth support scheduled for 0.8?
Comment 22 Dan Scharon 2010-03-22 14:56:02 UTC
hybrid auth is now enabled in vpnc out-of-the-box (latest svn snapshot upstream) by use of GnuTLS. So what about plans for hybrid auth support in network-manager-vpnc?
Comment 23 Steffen Röcker 2010-04-18 12:50:03 UTC
vpnc with hybrid auth ships now with many distros*.
Now would be a good time to add this feature :)

* e.g Ubuntu 10.4, Gentoo
Comment 24 Luis Alves 2010-09-14 08:00:27 UTC
Can we add this to the svn to include this, in the new release. This is a major usability for user off vpnc hybrid mode.
Comment 25 Gustav Munkby 2011-05-18 09:09:54 UTC
Created attachment 188018 [details] [review]
Updated patch for v. 0.9-rc2

Implemented the interface as suggested by Sébastien in comment 10 and reimplemented the patch against current git master.

With this I have successfully used NetworkManager to configure vpnc to connect to a VPN using hybrid authentication.
Comment 26 John Haxby 2011-05-19 10:54:31 UTC
The layout is much better than in my patch (comment 20) but it's unfortunately missing the "Application Version" field.  At least one implementation of the Cisco VPN concentration (the one I used) requires this to be set to a specific value in order to log in.
Comment 27 Dan Williams 2012-03-09 17:46:55 UTC
(cleaning up old bugs...)

Hybrid auth committed as efd8ae88aa8d4e91168645f57233ce10bd36cc9f which should do the trick.  If we need Application Version then we should investigate the best way to add that.  Thanks for your work everyone!