GNOME Bugzilla – Bug 547582
NM should be able to import group passwords
Last modified: 2009-01-06 15:09:37 UTC
Please describe the problem: When importing .pcf files, NM should be able to store the group password if that is present in the file. This has been heavily discussed in bug 436382 but got lost there because the bug was originally about something else. This is a very needed feature as these passwords can be randomly generated and then only kept around in the form of the .pcf file. Right now you have to manually decode it using some command line tool. Steps to reproduce: Actual results: Expected results: Does this happen every time? Other information:
Yup, there's apparently no issues with decrypting the group PW on import according to legal-type people, so we should do this by either linking in cisco-decrypt code (if the license is GPL-compatible) or by calling out to cisco decrypt.
Is cisco-decrypt going to be included in network-manager-vpnc? I would really love to get this working, as I have many users that I would love to have just import the pcf file. I'll be happy to test any changes.
Created attachment 120497 [details] [review] Import and show the user and group passwords from pcf files We don't decrypt the group password yet but I'm working on it.
Carlos: it's not that useful to show the encrypted passwords though; and the bits in update_connection() don't look right because the secrets are saved in save_secrets handler for the UI widget. If that first hunk gets applied, secrets may leak through when they aren't needed. Basically, what the patch should do is during import, decrypt the group password and insert it into the group_password_entry GtkEntry and it will magically get saved when needed.
That's what I'm doing right now. The first hunk was actually written some time ago and I'm not sure if it's all that relevant anymore. I have another patch which does (should) decrypt the password. You can ignore the Hybrid auth mode part, since I'm not sure it's correct here (I've just written what should be needed to support VPN to my uni). I haven't tested it, but it does compile. I'm building a test environment right now to do proper testing.
Created attachment 120570 [details] [review] Decrypt the group password when importing a pcf file. Ignore the Hybrid mode auth for now.
Thanks for the patch! but nm-vpnc doesn't handle hybrid mode at all and thus NM_VPNC_KEY_HYBRID wouldn't be defined. Are you generating these patches from some source tree other than upstream SVN? Also, cisco-decrypt could be in a few different locations, can you implement a find loop like is done for vpnc itself in src/nm-vpnc-service.c? Fedora puts it in /usr/bin/ for example, I'm sure other distros put it elsewhere. If the binary fails to be found, lets just not decrypt the password but log something with g_warning().
Actually I think I broke my local copy between the compilation run and the patch generation, so the patch is slightly broken and missing the header changes, but the main thing is to get the idea across. I just chose the location in Debian, because first I want to test it and then make it generic. Parts of the workings I copied form nm-applet which should probably be made more or less generic (but that's another story). I'll add searching and error loggin to the patch and hopefully make it stand on its own.
Created attachment 120704 [details] [review] Import and decrypt group passwords from pcf files. This is the patch as it stands right now, which compiles without warnings. I'll hopefully have time to actually test it tonight.
The changes to update_connection() aren't required because the passwords get updated automatically when the connection is closed successfully via the plugin's save_secrets() function. I think the rest looks OK, let me know how the tests go.
I can't get the output from the binary. Seeing as it was a copy-and-paste from a trunk version taken at some point by Google, I'll check the code I have checked out to see how it's done right now. The callbacks are never called, but that might actually be my fault (I've just noticed that I don't actually wait for it). I've downloaded some more code and docs to investigate further (the time when I can test is precisely the time when I can't get Internet access, at least for now). One thing I don't see is showing the passwords in the dialog, which I've added, but if it's a bit hidden, I'll just take it out.
Created attachment 120798 [details] [review] Import user and group passwords decrypting the latter. This is (hopefully) my final proposal. The first hunk sets the entry fields to the passwords if they exist, which could be considered to be a separate patch. This has been tested on my university's pcf file and it works. More paths for cisco-decrypt should probably be added, but I think I'll leave that to the distos. Upon failure we just print a warning, which I think should probably be enough.
with additional cleanups and fixes, committed as svn r4252. Thanks!
*** Bug 559455 has been marked as a duplicate of this bug. ***
*** Bug 560230 has been marked as a duplicate of this bug. ***
*** Bug 565948 has been marked as a duplicate of this bug. ***