The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Jérôme,

   I know that this can be done like that, and I thought that I have
clearly said that I have experimented with it quite a bit in various
Linux distributions. I found out that the user experience related to
this setting can be quite terrible and this is why I have dropped it. I
just do not see that the security gain is big enough to risk that users
will hate that.

Tomasz



W dniu 30.01.2018 o 17:53, Jérôme BERTHIER pisze:
> Le 27/12/2017 à 15:13, Tomasz Wolniewicz a écrit :
>> Hi Jérôme,
>>     you are correct in your analysis. It is, in principle possible, to
>> limit the profile setting to the user context and to make it encrypted
>> in the user keystore. I have spent quite a bit of time trying to get it
>> work, but the support for this turned out to be quite bad. You can see
>> that the code has a get_system function with a comment that this is
>> meant exactly for recognising distros that would handle password
>> encryption well, but we dropped the idea of adding this to the code and
>> it is simply impossible to follow the distros and test which one will
>> behave.
>>
>> The current system default for network profile creation is to use
>> system-wide settings and we decided to limit ourselves to this as well.
>> The main goal of CAT is to make the connection establishment safe, if
>> the user's machine is compromised, the entire security is pretty much
>> screwed anyway.
>>
>> Yours
>> Tomasz
>>
>>
>> W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
>>> Hi,
>>>
>>> I'm testing CAT in order to promote its usage among our users.
>>>
>>> I have a question about the script for Linux distribution.
>>>
>>> Correct me if I'm wrong but this script set up a new connection
>>> profile globally for the system.
>>>
>>> By doing this, it stores the user password as plain text in a text
>>> file.
>>>
>>> * network profile (including the username) :
>>> /etc/sysconfig/network-scripts/ifcfg-eduroam
>>> * password stored in a text file (owned by root with perm 600) :
>>> /etc/sysconfig/network-scripts/keys-eduroam
>>>
>>> Storing plain text password is not very good (even limited to the user
>>> root).
>>>
>>> This seems to be the normal behavior of NetworkManager when it create
>>> a system wide profile :
>>> https://wiki.gnome.org/Projects/NetworkManager/Admins
>>>
>>> Is there any way under CAT admin to limit the scope of the client and
>>> profile to the user session under it is installed (and so using the
>>> password storage manager) ?
>>>
>>> Regards,
>>>
> Hi Tomasz,
>
> I did modify your script in order to add this attribute in the
> configuration file generated :
>
> IEEE_8021X_PASSWORD_FLAGS=user
>
> This way, the connection becomes limited to the user session. The file
> keys-eduroam is no more created.
>
> If the session propose a keyring management system then the password
> is securely stored. If not, then the password is asked at each
> connection time.
>
> Under the python part of your tool, I just add this attribute to the
> dictionnary s_8021x on the function add_connection() under the class
> EduroamNMConfigTool : 'password-flags': 1.
>
> This value 1 set the variable IEEE_8021X_PASSWORD_FLAGS to "user". I
> will also try to set this to "ask" because this is an another use case
> for us.
>
> I don't know if you had some work over this or if it could be an
> evolution. So, could you give me information about the licensing of
> CAT please ?
>
> Is it possible to modify it on our own side only to distribute it to
> our users ?
>
> If so, is it allowed to apply it to another SSID ?
>
> Thanks you very much for your help
>
> Regards
>

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576