cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Jérôme BERTHIER <Jerome.Berthier AT inria.fr>
- To: Tomasz Wolniewicz <twoln AT umk.pl>
- Cc: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] CAT Linux script
- Date: Wed, 31 Jan 2018 16:02:57 +0100
- Organization: Inria DSI
Hi Tomasz,
Le 30/01/2018 à 20:06, Tomasz Wolniewicz a écrit :
Hi Jérôme,
I know that this can be done like that, and I thought that I have
clearly said that I have experimented with it quite a bit in various
Linux distributions.
Yes sure
I just wanted to share what exactly I am intended to do.
I do apologize if I'm boring you with this.
I found out that the user experience related to
this setting can be quite terrible and this is why I have dropped it. I
just do not see that the security gain is big enough to risk that users
will hate that.
Maybe we have a weird security concern.
So, I am interested in creating a specific version of your script for our own needs. Is it allowed to make it and to share it to our users ?
Furthermore, is it allowed to adapt your work to other internal SSID ?
I do not find any rules about code modification in the terms of use as well as under the developper page.
Again thanks you all for your great work
Regards,
Tomasz
W dniu 30.01.2018 o 17:53, Jérôme BERTHIER pisze:
Le 27/12/2017 à 15:13, Tomasz Wolniewicz a écrit :
Hi Jérôme,Hi Tomasz,
you are correct in your analysis. It is, in principle possible, to
limit the profile setting to the user context and to make it encrypted
in the user keystore. I have spent quite a bit of time trying to get it
work, but the support for this turned out to be quite bad. You can see
that the code has a get_system function with a comment that this is
meant exactly for recognising distros that would handle password
encryption well, but we dropped the idea of adding this to the code and
it is simply impossible to follow the distros and test which one will
behave.
The current system default for network profile creation is to use
system-wide settings and we decided to limit ourselves to this as well.
The main goal of CAT is to make the connection establishment safe, if
the user's machine is compromised, the entire security is pretty much
screwed anyway.
Yours
Tomasz
W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
Hi,
I'm testing CAT in order to promote its usage among our users.
I have a question about the script for Linux distribution.
Correct me if I'm wrong but this script set up a new connection
profile globally for the system.
By doing this, it stores the user password as plain text in a text
file.
* network profile (including the username) :
/etc/sysconfig/network-scripts/ifcfg-eduroam
* password stored in a text file (owned by root with perm 600) :
/etc/sysconfig/network-scripts/keys-eduroam
Storing plain text password is not very good (even limited to the user
root).
This seems to be the normal behavior of NetworkManager when it create
a system wide profile :
https://wiki.gnome.org/Projects/NetworkManager/Admins
Is there any way under CAT admin to limit the scope of the client and
profile to the user session under it is installed (and so using the
password storage manager) ?
Regards,
I did modify your script in order to add this attribute in the
configuration file generated :
IEEE_8021X_PASSWORD_FLAGS=user
This way, the connection becomes limited to the user session. The file
keys-eduroam is no more created.
If the session propose a keyring management system then the password
is securely stored. If not, then the password is asked at each
connection time.
Under the python part of your tool, I just add this attribute to the
dictionnary s_8021x on the function add_connection() under the class
EduroamNMConfigTool : 'password-flags': 1.
This value 1 set the variable IEEE_8021X_PASSWORD_FLAGS to "user". I
will also try to set this to "ask" because this is an another use case
for us.
I don't know if you had some work over this or if it could be an
evolution. So, could you give me information about the licensing of
CAT please ?
Is it possible to modify it on our own side only to distribute it to
our users ?
If so, is it allowed to apply it to another SSID ?
Thanks you very much for your help
Regards
--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50
Attachment:
smime.p7s
Description: Signature cryptographique S/MIME
- Re: [[cat-users]] CAT Linux script, Jérôme BERTHIER, 01/09/2018
- <Possible follow-up(s)>
- Re: [[cat-users]] CAT Linux script, Jérôme BERTHIER, 01/30/2018
- Re: [[cat-users]] CAT Linux script, Tomasz Wolniewicz, 01/30/2018
- Re: [[cat-users]] CAT Linux script, Jérôme BERTHIER, 01/31/2018
- Re: [[cat-users]] CAT Linux script, Tomasz Wolniewicz, 01/30/2018
Archive powered by MHonArc 2.6.19.