The requested functionality should already work.

Which kind of VPN? Which version of NetworkManager? Which version of the NetworkManager-<VPN> plugin? Did you install NetworkManager using your distribution? Which distribution?

NM needs a "secret provider" application running (which can be nm-applet, or plasma-nm, or gnome-control-center). Did you have nm-applet running?

What did you try to achieve? What did you do? What did happen? What did you expect to happen?

Network manager 0.9.8 (0.9.8.8-0ubuntu7), openvpn plugin 0.9.8 (0.9.8.2-1ubuntu4), running on Ubuntu 14.04.  Everything installed from ubuntu packages via apt.

The nm-applet and 'secret provider' is not something I've heard of - I din't find it in the documentation when trying to solve this.

My experience was such:
 - I had a working openvpn conf file, I created a new openvpn connection through network manager using those settings.
 - When setting up the certificates, I was unable to click 'Save' until there was a value in the passphrase box.  There was no way circumvent this.
 - If I entered an incorrect value and tried to connect, I was given an 'unable to connect' error, and no opportunity to re-enter it.
 - I Checked the the documentation, and found no mention of this functionality.
 - I Searched google, found a few anecdotal reports about the same issue with no solution.  Found no bug reports, howtos, or anything suggesting it was existing functionality, so decided it couldn't be done and raised a feature request.

If this is indeed possible, I think updating the documentation to reflect how would help a lot of people.

There is no clue in the interface that this can be done, so it's an easy conclusion to reach that it can't - a tooltip saying how would be good, a checkbox saying 'prompt for passphrase on connect' would be better.

There is a combo-box with "Always Ask" option next to "Password" fields in nm-connection-editor. And it is possible to leave "Private Key Password" entry empty.
Nevertheless, it would help if you be more specific, what type of authentication do you use (Password, Certificates (TLS), ...). Best if you could include your openvpn conf file (remember to change the sensitive values in it).

Created attachment 279275 [details]
Screenshot of the dialog in question

For password there is, but this is the pass-phrase for my private key - sorry I should have been clearer about that.  I'm using "Certificates (TLS)" authentication - I fill in the cert/ca/key sections with the appropriate files, and as long as the "Private Key Password" is empty, I cannot save.  There is no combo box in this view.  A picture's worth a thousand words - see attachment.

My conf is pretty straightforward:

client
dev tun
proto udp
remote <ip> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
ca <ca>.pem
cert <cert>.pem
key <key>.pem
comp-lzo
verb 3

In general, passwords can be stored

(0) system-wide. In this case it is stored in clear text in the NetworkManager configuration (only readable by root).

(1) in a user-keyring (for example kwallet or gnome-keyring). For that you need to have a program running, that can provide the password from there (let's call it "secret provider"). For example nm-applet, plasma-nm, or gnome-control-center can do that.

(2) always ask. The password is not stored. In this case you still need a secret provider, to prompt the user.



In your openvpn case, the screenshot shows the GUI shows nm-applet/nm-connection-editor, with the plugin to edit the openvpn-connection. This GUI does not allow you to configure above option (1) or (2), and always does (0).



A "workaround" is to configure the connection manually:

The connection is saved in a text-file with name
/etc/NetworkManager/system-connections/<some-name>

In that text file you will see a section:

[vpn]

Add there a line:

cert-pass-flags=1

which means (1), user-keyring

or 

cert-pass-flags=2

which means (2), always ask.



After you save the configuration file, NM should automatically reload the configuration (I think. Otherwise restart NM :) ).

Can you verify that this works for you?


The real solution is obviously to enhance the openvpn-UI to allow you to configure this. I update the subject of the bug


Regarding the unspecific "'unable to connect' error" when entering the wrong password, I think that is not easy to solve, because NM does not really know the reason why openvpn failed to connect. But would be nice :)

*** Bug 725174 has been marked as a duplicate of this bug. ***

Workaround works a treat, thanks Thomas.  It'd be nice to see the UI improvement, but the workaround is quite reasonable and hopefully this bug report will help other people searching for the answer.

The workaround does *not* work for me. I want the password to be stored in the user keyring, so I added cert-pass-flags=1 to the config file. Still the password is written in cleartext into this file once I connect instead of saving it in the keyring.

Alright, workaround works if I use "password-flags=1" instead of "cert-pass-flags=1"

password, password-flags    are for user password.
cert-pass, cert-pass-flags  are for private key password.

Anyway, I have attached a combo box for cert-pass, the same way as it is for password. And I have added a entry for keyring into the combo boxes, too.
See the code in jk/bgo731891-gui-password-types branch.

Isn't keyring storage the same thing as "Saved" + agent-owned?  Instead of having a separate entry, couldn't we just do the same thing as with other passwords and add the GtkEntry icon for agent/system storage, and leave out the "Keyring" option?

(As just discussed with dcbw on IRC:)

IMO it would be nice to have those Icons from commit change_password_storage_icon() beside every password field in nm-applet/nm-c-e.

But currently the icon only offers "system-wide" and "keyring" as option. First we would have to add "always-ask" and "not-required" too ("not-required" only enabled where applicable).

*** Bug 675092 has been marked as a duplicate of this bug. ***

*** Bug 743519 has been marked as a duplicate of this bug. ***

*** Bug 743519 has been marked as a duplicate of this bug. ***

Related to this bug, I think that the GUI should warn the user before writing a
passphrase in clear text to the disk (as it seems to be the default at the
moment).

Hi,

I have configured VPN-connection as follows:
[connection]
id=VPN-Server
uuid=7ceb68df-f769-4151-8eff-d8ea4fb86d48
type=vpn
permissions=
autoconnect=false
timestamp=1426346265
secondaries=

[ipv6]
method=auto
dns-search=
ip6-privacy=0

[ipv4]
method=auto
dns-search=

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
auth=SHA256
tunnel-mtu=1500
cipher=AES-256-CBC
comp-lzo=yes
remote=thomas.dynvpn.de
cert-pass-flags=2
port=1194
dev-type=tun
cert=/etc/openvpn/config/VPN-Server/pcclient.crt
ca=/etc/openvpn/config/VPN-Server/pcclient.pem
key=/etc/openvpn/config/VPN-Server/pcclient.key
ta=/etc/openvpn/config/VPN-Server/ta.key

[vpn-secrets]
no-secret=true

However, there's no popup opening asking for the private key.

I have installed latest version of Network-Manager 1.0.0-3 on Debian Jessie.

nm-applet is running
ps aux | grep nm-applet
user    3709  0.0  1.6  85296 33220 ?        Sl   Mär15   0:02 nm-applet

Can I use Network-Manager w/o gnome-keyring installed?
If yes, how?

(In reply to Jiri Klimes from comment #11)
> password, password-flags    are for user password.
> cert-pass, cert-pass-flags  are for private key password.
> 
> Anyway, I have attached a combo box for cert-pass, the same way as it is for
> password. And I have added a entry for keyring into the combo boxes, too.
> See the code in jk/bgo731891-gui-password-types branch.

needs re-basing on master.

(In reply to Thomas Haller from comment #19)
> (In reply to Jiri Klimes from comment #11)
> > password, password-flags    are for user password.
> > cert-pass, cert-pass-flags  are for private key password.
> > 
> > Anyway, I have attached a combo box for cert-pass, the same way as it is for
> > password. And I have added a entry for keyring into the combo boxes, too.
> > See the code in jk/bgo731891-gui-password-types branch.
> 
> needs re-basing on master.

I am working on it. I have the branch re-based locally. But, I want to make changes mentioned in comment #12 and #13 and that requires more work on libnm-gtk and using that in the plugins. And I don't have that ready yet.

Re-pushed the code:
jk/password-icon-1-0     - network-manager-applet repository (based on nma-1-0)
jk/bgo731891-gui-password-types  - network-manager-openvpn repository

I have moved the functions handling password icon/menu to libnm-gtk so that they are available outside nm-connection-editor, in VPN plugins. I have added menu entries for "always ask" and "not required" (optional).

OpenVPN plugin uses the functions for passwords:
"password" - uses the icon instead of combo-box
"cert-pass" and "http-proxy-password" - added the icon
libnm-gtk and auth-dialog updated to be able to use ternary password (for the http-proxy-password).

What is to be done yet:
* only libnm-gtk is updated at the moment. We should make the change in libnma as well
* there may be some "ask for this password" check-boxes in the editor. They should be removed, because they are duplicated by the same entry in the password menu now.
* check other VPN plugins and use password icon there too

* jk/bgo731891-gui-password-types

Looks good to me.


* jk/password-icon-1-0

> libnm-gtk: add nma_utils_menu_to_secret_flags() for getting secret flags

In nma_utils_menu_to_secret_flags(), "MenuItem idx" is reported as maybe-uninitialized by F21's gcc.

Also in the comment there, "memu" -> "menu".

The rest look fine to me.

(In reply to Dan Williams from comment #22)
> * jk/password-icon-1-0
> 
> > libnm-gtk: add nma_utils_menu_to_secret_flags() for getting secret flags
> 
> In nma_utils_menu_to_secret_flags(), "MenuItem idx" is reported as
> maybe-uninitialized by F21's gcc.
> 
> Also in the comment there, "memu" -> "menu".
> 
Fixed.

(In reply to Jiri Klimes from comment #21)
> What is to be done yet:
> * there may be some "ask for this password" check-boxes in the editor. They
> should be removed, because they are duplicated by the same entry in the
> password menu now.
> * check other VPN plugins and use password icon there too

I re-pushed jk/password-icon-1-0 branch with 4 new commits (on top).

I also added jk/bgo731891-gui-password-types branch for vpnc plugin:
- removes password type combo-boxes and uses libnm-gtk functions

Testing would be appreciated because the combination of various settings is quite large.

> editor: remove "Always ask for this password every time" checkbox

Does the (flags & EAP_METHOD_SIMPLE_FLAG_IS_EDITOR) bits still have the intended effect?  ISTR this was done becuase in the applet secret agent (which also uses the code) when an always-ask password is required by NM, we obviously cannot un-focus/de-sensitize the password entry like we would in the editor, because then the user cannot enter the password in the secrets dialog at all.

With these patches, trying to connect to an always-ask WPA Enterprise network gives me a secrets dialog without any Password entry at all, I also get some messages about "gtk_widget_event: assertion 'WIDGET_REALIZED_FOR_EVENT (widget, event)' failed so maybe something isn't getting explicitly shown in this case?

http://bigw.org/~dan/eap-always-ask.png

I git reset to "libnm-gtk: remember previous password across toggling options not saving it" and now I get the password entry, but I can't type anything in it... So I guess we need some way of telling libnm-gtk that the entry focus thing should be disabled selectively?  That's what EAP_METHOD_SIMPLE_FLAG_IS_EDITOR was supposed to do.

When testing this with the applet I typically force-disable GNOME Shell by putting something like this in nm-agent-manager.c::impl_agent_manager_register_with_capabilities() to make sure the applet gets used:

if (strcasestr (identifier, "gnome"))
    goto done;

> editor: save secrets flags according to the storage icon

The "/* Save LEAP_PASSWORD_FLAGS to the connection */" comment gets C&P to some places that it aren't LEAP-related.

Also, LEAP_PASSWORD_FLAGS is only relevant for "old-style" Cisco WiFi LEAP, which was an authentication protocol like "open" and "shared" WEP auth.  The LEAP_USERNAME and LEAP_PASSWORD_FLAGS properties are in the 'wireless-security' setting becuase they don't use 802.1x.  So these properties are only used in ws-leap.c.

EAP-LEAP is actually an 802.1x auth method, and is used during Dynamic WEP or WPA Enterprise in the 802.1x tunnels.  Since it's 802.1x, it's in the 802-1x setting and would use the USERNAME and PASSWORD properties.  So any comments in eap-method-*.c should refer to PASSWORD instead of LEAP_*.

Thanks for testing, Dan!

(In reply to Dan Williams from comment #24)
> > editor: remove "Always ask for this password every time" checkbox
> 
> Does the (flags & EAP_METHOD_SIMPLE_FLAG_IS_EDITOR) bits still have the
> intended effect?  ISTR this was done becuase in the applet secret agent
> (which also uses the code) when an always-ask password is required by NM, we
> obviously cannot un-focus/de-sensitize the password entry like we would in
> the editor, because then the user cannot enter the password in the secrets
> dialog at all.
> 
> With these patches, trying to connect to an always-ask WPA Enterprise
> network gives me a secrets dialog without any Password entry at all, I also
> get some messages about "gtk_widget_event: assertion
> 'WIDGET_REALIZED_FOR_EVENT (widget, event)' failed so maybe something isn't
> getting explicitly shown in this case?
> 
I saw the error too. But it doesn't appear for me anymore. So either it is intermittent, or it was fixed by a recent change.

> http://bigw.org/~dan/eap-always-ask.png
> 
> I git reset to "libnm-gtk: remember previous password across toggling
> options not saving it" and now I get the password entry, but I can't type
> anything in it... So I guess we need some way of telling libnm-gtk that the
> entry focus thing should be disabled selectively?  That's what
> EAP_METHOD_SIMPLE_FLAG_IS_EDITOR was supposed to do.
> 

Added a new parameter to libnm-gtk function to say whether to make the entry sensitive for always-ask.
The entry was hidden for EAP_METHOD_SIMPLE_FLAG_SECRETS_ONLY, which was not right.

> When testing this with the applet I typically force-disable GNOME Shell by
> putting something like this in
> nm-agent-manager.c::impl_agent_manager_register_with_capabilities() to make
> sure the applet gets used:
> 
> if (strcasestr (identifier, "gnome"))
>     goto done;
> 
I don't use gnome-shell, so I just kill nm-applet and run a new one.

> > editor: save secrets flags according to the storage icon
> 
> The "/* Save LEAP_PASSWORD_FLAGS to the connection */" comment gets C&P to
> some places that it aren't LEAP-related.
> 
> Also, LEAP_PASSWORD_FLAGS is only relevant for "old-style" Cisco WiFi LEAP,
> which was an authentication protocol like "open" and "shared" WEP auth.  The
> LEAP_USERNAME and LEAP_PASSWORD_FLAGS properties are in the
> 'wireless-security' setting becuase they don't use 802.1x.  So these
> properties are only used in ws-leap.c.
> 
> EAP-LEAP is actually an 802.1x auth method, and is used during Dynamic WEP
> or WPA Enterprise in the 802.1x tunnels.  Since it's 802.1x, it's in the
> 802-1x setting and would use the USERNAME and PASSWORD properties.  So any
> comments in eap-method-*.c should refer to PASSWORD instead of LEAP_*.

Fixed the comments.

I re-pushed the branch, updated vpn plugin's jk/bgo731891-gui-password-types branches for the new libnm-gtk change and added a branch for PPTP plugin too.

> libnm-gtk: vpn password dialog: add entry for ternary password

I think we need to switch the ternary password to be invisible by default, otherwise on all the VPN plugins we'll need to call the function to hide it during setup, and in plugins we haven't updated yet it will show up.  The vpnc plugin doesn't hide it explicitly, so I get a ternary password entry there which doesn't do anything.  Yeah, it's inconsistent with the other two entries, but it should be opt-in for plugins that want it.

Everything else seems to work OK for me.

(In reply to Dan Williams from comment #26)
> > libnm-gtk: vpn password dialog: add entry for ternary password
> 
> I think we need to switch the ternary password to be invisible by default,
> otherwise on all the VPN plugins we'll need to call the function to hide it
> during setup, and in plugins we haven't updated yet it will show up.  The
> vpnc plugin doesn't hide it explicitly, so I get a ternary password entry
> there which doesn't do anything.  Yeah, it's inconsistent with the other two
> entries, but it should be opt-in for plugins that want it.
> 

Pushed a fixup for that.

LGTM

The code has been merged to master and nm(a)-1-0 branches.

network-manager-applet:
master:
6a5099e libnma: vpn password dialog: add entry for ternary password
ab5eac9 wireless-security: use libnma's nma-ui-utils
f84da92 libnma: add nma-ui-utils.[ch]
410609a merge: move password icon/menu funcs to libnm-gtk and extend them (bgo #731891)
5900719 libnm-gtk: allow sensitive "always-ask" entry
fee7104 editor: save secrets flags according to the storage icon
d504eb3 editor: remove "Always ask for this password every time" checkbox
64f7b53 libnm-gtk: remember previous password across toggling options not saving it
50b9650 libnm-gtk: add tooltips to password storage icons
912cc0c libnm-gtk: vpn password dialog: add entry for ternary password
1f83f1e libnm-gtk: add nma_utils_menu_to_secret_flags() for getting secret flags
83a8c5f libnm-gtk/editor: make "password not required" menu item optional
a0e688c libnm-gtk: add item for "not required" to password icon menu
5bc386e libnm-gtk: add item for "ask password" to password icon menu
24e9d33 libnm-gtk: use an enum/table for password storage icons
0eae20a libnm-gtk/editor: make NMSetting optional in password storage functions
c94ef11 libnm-gtk/editor: change nma_utils_setup_password_storage() to take NMSetting
c0a6be9 utils: move *_password_storage() functions from utils to libnm-gtk
6350d1f utils: remove stray function prototypes from utils.h

nma-1-0:
503c101 merge: move password icon/menu funcs to libnm-gtk and extend them (bgo #731891)
8379bbe libnm-gtk: allow sensitive "always-ask" entry
6b0cb98 editor: save secrets flags according to the storage icon
657904f editor: remove "Always ask for this password every time" checkbox
09901b9 libnm-gtk: remember previous password across toggling options not saving it
16703f3 libnm-gtk: add tooltips to password storage icons
7ae1211 libnm-gtk: vpn password dialog: add entry for ternary password
b1299e6 libnm-gtk: add nma_utils_menu_to_secret_flags() for getting secret flags
e01d71f libnm-gtk/editor: make "password not required" menu item optional
991bc20 libnm-gtk: add item for "not required" to password icon menu
9243112 libnm-gtk: add item for "ask password" to password icon menu
56ed3c7 libnm-gtk: use an enum/table for password storage icons
9019f9d libnm-gtk/editor: make NMSetting optional in password storage functions
8bd885b libnm-gtk/editor: change nma_utils_setup_password_storage() to take NMSetting
3f7a080 utils: move *_password_storage() functions from utils to libnm-gtk
77078d9 utils: remove stray function prototypes from utils.h

openvpn plugin:
master:
0f5dcd9 merge: use libnm-gtk nma_utils_* functions for password storage (bgo #731891)
4555ed7 auth-dialog: read http proxy password too
353025a auth-helpers: use password icon for HTTP proxy password in advanced dialog
1c2d240 auth-helpers: fix setting http-proxy-password-flags to hash
f8ded2b properties: we don't need to store flags manually
833c5fd properties: use libnm-gtk password menu funcs for password (bgo #731891)
9963eba properties: use libnm-gtk password menu funcs for cert-pass (bgo #731891)
nm-1-0:
ecbeae1 merge: use libnm-gtk nma_utils_* functions for password storage (bgo #731891)
90da623 auth-dialog: read http proxy password too
41428ff auth-helpers: use password icon for HTTP proxy password in advanced dialog
cc957a3 auth-helpers: fix setting http-proxy-password-flags to hash
62fd26b properties: we don't need to store flags manually
00e6c38 properties: use libnm-gtk password menu funcs for password (bgo #731891)
b22e34f properties: use libnm-gtk password menu funcs for cert-pass (bgo #731891)

vpnc plugin:
master: 2afa861 properties: use libnm-gtk password menu funcs for password (bgo #731891)
nm-1-0: 6be1878 properties: use libnm-gtk password menu funcs for password (bgo #731891)

pptp plugin:
master: 8d3448d properties: use libnm-gtk password menu funcs for password (bgo #731891)
nm-1-0: 0aee0d4 properties: use libnm-gtk password menu funcs for password (bgo #731891)