cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: Jérôme BERTHIER <Jerome.Berthier AT inria.fr>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] CAT Linux script
- Date: Wed, 27 Dec 2017 15:13:16 +0100
Hi Jérôme,
you are correct in your analysis. It is, in principle possible, to
limit the profile setting to the user context and to make it encrypted
in the user keystore. I have spent quite a bit of time trying to get it
work, but the support for this turned out to be quite bad. You can see
that the code has a get_system function with a comment that this is
meant exactly for recognising distros that would handle password
encryption well, but we dropped the idea of adding this to the code and
it is simply impossible to follow the distros and test which one will
behave.
The current system default for network profile creation is to use
system-wide settings and we decided to limit ourselves to this as well.
The main goal of CAT is to make the connection establishment safe, if
the user's machine is compromised, the entire security is pretty much
screwed anyway.
Yours
Tomasz
W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
> Hi,
>
> I'm testing CAT in order to promote its usage among our users.
>
> I have a question about the script for Linux distribution.
>
> Correct me if I'm wrong but this script set up a new connection
> profile globally for the system.
>
> By doing this, it stores the user password as plain text in a text file.
>
> * network profile (including the username) :
> /etc/sysconfig/network-scripts/ifcfg-eduroam
> * password stored in a text file (owned by root with perm 600) :
> /etc/sysconfig/network-scripts/keys-eduroam
>
> Storing plain text password is not very good (even limited to the user
> root).
>
> This seems to be the normal behavior of NetworkManager when it create
> a system wide profile :
> https://wiki.gnome.org/Projects/NetworkManager/Admins
>
> Is there any way under CAT admin to limit the scope of the client and
> profile to the user session under it is installed (and so using the
> password storage manager) ?
>
> Regards,
>
--
Tomasz Wolniewicz
twoln AT umk.pl
http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
Attachment:
smime.p7s
Description: Kryptograficzna sygnatura S/MIME
- [[cat-users]] CAT Linux script, Jérôme BERTHIER, 12/22/2017
- Re: [[cat-users]] CAT Linux script, Tomasz Wolniewicz, 12/27/2017
Archive powered by MHonArc 2.6.19.