The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jérôme BERTHIER <Jerome.Berthier AT inria.fr>]

Le 27/12/2017 à 15:13, Tomasz Wolniewicz a écrit :
> Hi Jérôme,
>     you are correct in your analysis. It is, in principle possible, to
> limit the profile setting to the user context and to make it encrypted
> in the user keystore. I have spent quite a bit of time trying to get it
> work, but the support for this turned out to be quite bad. You can see
> that the code has a get_system function with a comment that this is
> meant exactly for recognising distros that would handle password
> encryption well, but we dropped the idea of adding this to the code and
> it is simply impossible to follow the distros and test which one will
> behave.
>
> The current system default for network profile creation is to use
> system-wide settings and we decided to limit ourselves to this as well.
> The main goal of CAT is to make the connection establishment safe, if
> the user's machine is compromised, the entire security is pretty much
> screwed anyway.
>
> Yours
> Tomasz
>
>
> W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
> > Hi,
> >
> > I'm testing CAT in order to promote its usage among our users.
> >
> > I have a question about the script for Linux distribution.
> >
> > Correct me if I'm wrong but this script set up a new connection
> > profile globally for the system.
> >
> > By doing this, it stores the user password as plain text in a text file.
> >
> > * network profile (including the username) :
> > /etc/sysconfig/network-scripts/ifcfg-eduroam
> > * password stored in a text file (owned by root with perm 600) :
> > /etc/sysconfig/network-scripts/keys-eduroam
> >
> > Storing plain text password is not very good (even limited to the user
> > root).
> >
> > This seems to be the normal behavior of NetworkManager when it create
> > a system wide profile :
> > https://wiki.gnome.org/Projects/NetworkManager/Admins
> >
> > Is there any way under CAT admin to limit the scope of the client and
> > profile to the user session under it is installed (and so using the
> > password storage manager) ?
> >
> > Regards,
Hi Tomasz,

I did modify your script in order to add this attribute in the 
configuration file generated :

IEEE_8021X_PASSWORD_FLAGS=user

This way, the connection becomes limited to the user session. The file 
keys-eduroam is no more created.

If the session propose a keyring management system then the password is 
securely stored. If not, then the password is asked at each connection time.

Under the python part of your tool, I just add this attribute to the 
dictionnary s_8021x on the function add_connection() under the class 
EduroamNMConfigTool : 'password-flags': 1.

This value 1 set the variable IEEE_8021X_PASSWORD_FLAGS to "user". I 
will also try to set this to "ask" because this is an another use case 
for us.

I don't know if you had some work over this or if it could be an 
evolution. So, could you give me information about the licensing of CAT 
please ?

Is it possible to modify it on our own side only to distribute it to our 
users ?

If so, is it allowed to apply it to another SSID ?

Thanks you very much for your help

Regards

--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50

Attachment: smime.p7s
Description: Signature cryptographique S/MIME