The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jérôme BERTHIER <Jerome.Berthier AT inria.fr>]

Hi Tomasz,

Le 30/01/2018 à 20:06, Tomasz Wolniewicz a écrit :
> Hi Jérôme,
>
>     I know that this can be done like that, and I thought that I have
> clearly said that I have experimented with it quite a bit in various
> Linux distributions.

Yes sure
I just wanted to share what exactly I am intended to do.
I do apologize if I'm boring you with this.

>   I found out that the user experience related to
> this setting can be quite terrible and this is why I have dropped it. I
> just do not see that the security gain is big enough to risk that users
> will hate that.

Maybe we have a weird security concern.
So, I am interested in creating a specific version of your script for 
our own needs. Is it allowed to make it and to share it to our users ?

Furthermore, is it allowed to adapt your work to other internal SSID ?

I do not find any rules about code modification in the terms of use as 
well as under the developper page.

Again thanks you all for your great work

Regards,

> Tomasz
>
>
>
> W dniu 30.01.2018 o 17:53, Jérôme BERTHIER pisze:
> > Le 27/12/2017 à 15:13, Tomasz Wolniewicz a écrit :
> > > Hi Jérôme,
> > >      you are correct in your analysis. It is, in principle possible, to
> > > limit the profile setting to the user context and to make it encrypted
> > > in the user keystore. I have spent quite a bit of time trying to get it
> > > work, but the support for this turned out to be quite bad. You can see
> > > that the code has a get_system function with a comment that this is
> > > meant exactly for recognising distros that would handle password
> > > encryption well, but we dropped the idea of adding this to the code and
> > > it is simply impossible to follow the distros and test which one will
> > > behave.
> > >
> > > The current system default for network profile creation is to use
> > > system-wide settings and we decided to limit ourselves to this as well.
> > > The main goal of CAT is to make the connection establishment safe, if
> > > the user's machine is compromised, the entire security is pretty much
> > > screwed anyway.
> > >
> > > Yours
> > > Tomasz
> > >
> > >
> > > W dniu 22.12.2017 o 14:17, Jérôme BERTHIER pisze:
> > > > Hi,
> > > >
> > > > I'm testing CAT in order to promote its usage among our users.
> > > >
> > > > I have a question about the script for Linux distribution.
> > > >
> > > > Correct me if I'm wrong but this script set up a new connection
> > > > profile globally for the system.
> > > >
> > > > By doing this, it stores the user password as plain text in a text
> > > > file.
> > > >
> > > > * network profile (including the username) :
> > > > /etc/sysconfig/network-scripts/ifcfg-eduroam
> > > > * password stored in a text file (owned by root with perm 600) :
> > > > /etc/sysconfig/network-scripts/keys-eduroam
> > > >
> > > > Storing plain text password is not very good (even limited to the user
> > > > root).
> > > >
> > > > This seems to be the normal behavior of NetworkManager when it create
> > > > a system wide profile :
> > > > https://wiki.gnome.org/Projects/NetworkManager/Admins
> > > >
> > > > Is there any way under CAT admin to limit the scope of the client and
> > > > profile to the user session under it is installed (and so using the
> > > > password storage manager) ?
> > > >
> > > > Regards,
> > Hi Tomasz,
> >
> > I did modify your script in order to add this attribute in the
> > configuration file generated :
> >
> > IEEE_8021X_PASSWORD_FLAGS=user
> >
> > This way, the connection becomes limited to the user session. The file
> > keys-eduroam is no more created.
> >
> > If the session propose a keyring management system then the password
> > is securely stored. If not, then the password is asked at each
> > connection time.
> >
> > Under the python part of your tool, I just add this attribute to the
> > dictionnary s_8021x on the function add_connection() under the class
> > EduroamNMConfigTool : 'password-flags': 1.
> >
> > This value 1 set the variable IEEE_8021X_PASSWORD_FLAGS to "user". I
> > will also try to set this to "ask" because this is an another use case
> > for us.
> >
> > I don't know if you had some work over this or if it could be an
> > evolution. So, could you give me information about the licensing of
> > CAT please ?
> >
> > Is it possible to modify it on our own side only to distribute it to
> > our users ?
> >
> > If so, is it allowed to apply it to another SSID ?
> >
> > Thanks you very much for your help
> >
> > Regards

--
Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50

Attachment: smime.p7s
Description: Signature cryptographique S/MIME