Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT Linux script

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT Linux script


Chronological Thread 
  • From: Jérôme BERTHIER <Jerome.Berthier AT inria.fr>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] CAT Linux script
  • Date: Tue, 9 Jan 2018 15:14:04 +0100
  • Organization: Inria DSI

Hi Tomasz,

We're going to run some tests on our side.
If we found any magical stuff, we'll keep in touch.

Thanks you very much for your answer.

Regards,

Le 27/12/2017 à 15:13, Tomasz Wolniewicz a écrit :
Hi Jérôme,
   you are correct in your analysis. It is, in principle possible, to
limit the profile setting to the user context and to make it encrypted
in the user keystore. I have spent quite a bit of time trying to get it
work, but the support for this turned out to be quite bad. You can see
that the code has a get_system function with a comment that this is
meant exactly for recognising distros that would handle password
encryption well, but we dropped the idea of adding this to the code and
it is simply impossible to follow the distros and test which one will
behave.

The current system default for network profile creation is to use
system-wide settings and we decided to limit ourselves to this as well.
The main goal of CAT is to make the connection establishment safe, if
the user's machine is compromised, the entire security is pretty much
screwed anyway.

Yours
Tomasz


W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
Hi,

I'm testing CAT in order to promote its usage among our users.

I have a question about the script for Linux distribution.

Correct me if I'm wrong but this script set up a new connection
profile globally for the system.

By doing this, it stores the user password as plain text in a text file.

* network profile (including the username) :
/etc/sysconfig/network-scripts/ifcfg-eduroam
* password stored in a text file (owned by root with perm 600) :
/etc/sysconfig/network-scripts/keys-eduroam

Storing plain text password is not very good (even limited to the user
root).

This seems to be the normal behavior of NetworkManager when it create
a system wide profile :
https://wiki.gnome.org/Projects/NetworkManager/Admins

Is there any way under CAT admin to limit the scope of the client and
profile to the user session under it is installed (and so using the
password storage manager) ?

Regards,


--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50


Attachment: smime.p7s
Description: Signature cryptographique S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page