GNOME Bugzilla – Bug 675092
VPN configuration can not be saved without private key password that is stored unencrypted.
Last modified: 2014-08-11 11:28:05 UTC
While it looks like the NM configuration supports the option to not save a password for a VPN private key (setting cert-pass-flags=2 if I found it right), then GUI won't save the VPN configuration if the password is not entered (save button remains grey). The key password is then stored unencrypted in the /etc/NetworkManager/system-connections/<vpn configuration>. This really is not very secure.
Note that /etc/NetworkManager/system-connections/<vpn configuration> is readable only by root and users that are explicitly allowed to see it, which is restricted to the user that created the connection by default. If passwords are stored in the config file then they are expected to be available at any time, even before a user is logged in. The correct solution here is to ensure that the secrets are saved by a user agent using cert-pass-flags=2. If the GUI isn't saving the connection, then that's a bug in the GUI. It's likely that some other field is not correctly filled in and thus you aren't allowed to save. I assume this is openvpn? Can you give me a general idea of your configuration, or better yet export it (and then XXX out the sensitive stuff) so I can import it and see what the problem is?
Created attachment 214942 [details] NM VPN settings Yes this is OpenVPN, but this is IMHO problem in the GUI. Just run nm-connection-editor --create --type vpn select OpenVPN and Create On the VPN tab, you may fill everything correct, but without typing password for the Private Key, you are not allowed to save the settings. If you type incorrect password, NM will never ask for the right one. The password is then stored in plain text in a config file. If you change the config file option flag in /etc/NetworkManager/system-connections/<configname>, then NM asks for password correctly and you do not need to store it here. It does this regardless of the checkmark that this connection should be available to all users which is BTW also available after you type the password.
This is still a problem. I've tried to work around this even by editing the /etc/NetworkManager/system-connections/<configname> file to remove the cert-pass=xxxx entry. When you try to connect, NetworkManager prompts the user for the passphrase, as expected. It connects, but then it saves this back to the configuration file! There is no way to NOT save the passphrase for your key! That makes it no more secure than just having an unencrypted key file stored on your laptop. If stolen, somebody can use that key to access your VPN until the certificate is revoked. With physical access (lost/stolen device), the argument that the file is only readable by root is a moot point.
I agree the bug is still present, but the workaround works. Remove the cert-pass= and add cert-pass-flags=2 this will avoid the password to be saved and user will be always propmpted. Obviously this is not a problem of NetworkManager itself but the NM GUI which does not accomodate this scenario.
Thanks, that does work. I didn't try it before because you said it would "ensure that the secrets are saved by a user agent," which didn't seem to be conducive to never saving the password. Is this option documented anywhere? I couldn't find it in the manpage for NetworkManager.conf
(In reply to comment #5) > I didn't try it before because you said it would "ensure that the secrets are > saved by a user agent," which didn't seem to be conducive to never saving the > password. > > Is this option documented anywhere? I couldn't find it in the manpage for > NetworkManager.conf it's in `man nm-settings`. See "Secret flag types". closing this bug as duplicate of bug 731891 (I feel that the other bug has a better subject, so I dupe this one not the other way around). *** This bug has been marked as a duplicate of bug 731891 ***