GNOME Bugzilla – Bug 743519
NetworkManager saves critical passwords in clear text
Last modified: 2015-01-26 14:51:58 UTC
I am using NetworkManager for my OpenVPN connections on Ubuntu 14.04 64bit. Here's the connection that I use (/etc/NetworkManager/system-connections/name): [vpn] service-type=org.freedesktop.NetworkManager.openvpn connection-type=tls remote=1.2.3.4 comp-lzo=yes cert-pass-flags=0 port=1234 remote-cert-tls=server cert=[..]/client.crt ca=[..]/ca.crt key=[..]/client.key [vpn-secrets] cert-pass= [ipv6] method=auto ignore-auto-dns=true never-default=true [ipv4] method=auto ignore-auto-dns=true never-default=true For security reasons, my client.key is protected with a passphrase. There are multiple issues with this in NetworkMananger, the most critical being that it *saves the passphrase in cleartext* in the connection's file once entered. This should not happen! A workaround: remove the passphrase manually, then protect the file against change (chattr +i /etc/NetworkManager/system-connections/name). Another secondary issue is that if the passphrase is entered wrong once, one has to restart NetworkManager to enter it again. Here are the versions that I use: ii network-manager 0.9.8.8-0ubuntu7 amd64 network management framework (daemon and userspace tools) ii network-manager-gnome 0.9.8.8-0ubuntu4.3 amd64 network management framework (GNOME frontend) ii network-manager-openvpn 0.9.8.2-1ubuntu4 amd64 network management framework (OpenVPN plugin core) ii network-manager-openvpn-gnome 0.9.8.2-1ubuntu4 amd64 network management framework (OpenVPN plugin GNOME GUI)
See "Secret flag types" in `man nm-settings`. (for example http://manpages.ubuntu.com/manpages/saucy/man5/nm-settings.5.html) -- which similarly applies to your 0.9.8 version. see also: https://bugzilla.gnome.org/show_bug.cgi?id=731891#c6 I close this bug as duplicate. If you disagree, feel free to reopen. *** This bug has been marked as a duplicate of bug 731891 ***
I see now how to resolve this issue, thank you. However, I disagree with closing this particular bug: I think that storing the password in clear text by default is a very bad security practice, especially so as the user is not informed about this and the relevant flags to fix it are hidden from the guy. Better not to store anything by default rather than storing in clear-text, I'd say. However, this clearly is an issue of the GUI part, only.
(In reply to comment #2) > I see now how to resolve this issue, thank you. However, I disagree with > closing this particular bug: I think that storing the password in clear text by > default is a very bad security practice, especially so as the user is not > informed about this and the relevant flags to fix it are hidden from the guy. > > Better not to store anything by default rather than storing in clear-text, I'd > say. > > However, this clearly is an issue of the GUI part, only. NetworkManager itself has no policy of saving clear-text "by default". It's entirely up to the UI client that configures the connection. As such, it's either a lack of the UI (bug 731891) or a choice of the user. "is not informed about this" is also a UI/documentation problem... What is your concrete suggestion beyond bug 731891? Note that these files are only accessible by the root user -- who might also snoop the password when it is transferred via D-Bus or as you type it.
Ah sorry, bug 731891 covers it quite nicely. I must have mixed up bugs before, I thought it didn't concern the gui. I will suggest that saving the password by default in clear text is bad idea over there. While your comment wrt to root-only-readable is correct, this does only apply to a running system but raises all sorts of issues wrt to backups etc.
*** This bug has been marked as a duplicate of bug 731891 ***