The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hello,

   this is an English-only mailing list, my answer is based on the
Google translation. Than you for your remarks.

First of all, you have mailed just two days before we have pushed a new
version of CAT, which has also changed the Linux installer from Python
embedded in a bash script to a Python-only script. The script will
require quite a number of fine touches and style improvements, but the
basics are essentially final. Having said that, I realise that your
remarks remain valid also in this new setup.

Your situation seems to rather unusual, if I understand correctly, you
have 3 different identity providers and you have 3 separate config files
for the same SSID eduroam and I suppose you decide which one should be
used. This is pretty much against the idea of eduroam to keep things as
simple as possible. We have been using a multiple profile approach for
Windows in times when we wanted to handle WPA2/AES and WPA/TKIP
together, but we never considered handling multiple identity providers
for a single user. We have consistently used the approach to wipe out
all eduroam connections not asking users about that and for so may years
and millions of downloads we have never got a single complaint until yours.

You mention our unsafe approach of keeping the passwords as open text
rather then the keyring. Indeed the keyring looked like a very
interesting choice, but after testing with multiple distros, I found out
that the behaviour of the keyring configuration is quite unpredictable
and most likely would cause quite some confusion among users. An
important argument was also the fact that the default manual
configuration approach via the NM GUI would also use the open text
storage (at least at the time when we wee considering this). Finally,
the security issue of having the passwords in the open will only be
important when the machine is compromised. And if it is compromised then
you can hardly assume that information in the keyring stayed safe. The
only real-live case I can think of would be multiple users with admin
rights on the same machine, but in practice - how common is that?

Finally the nmcli. I never considered that. I guess it was not really
known at the moment when we were starting. It certainly looks like an
interesting option, but will it be present in all Linux distros,
especially those KDE-based? If not then we still need our standard code,
so using another tool adds rather then lowers complexity.

Your

  Tomasz



W dniu 02.10.2018 o 15:00, Grégory Mounié pisze:
>
>  Bonjour
>
>  Ayant 3 tutelles, j'ai 3 établissements qui me fournissent en
> permanence une authentification à Eduroam.
>  Cela m'est fort utile pour contourner certains problèmes (exemples du
> moment, 1 problème chacun: filtrage du outer identity anonymous sur
> certains concentrateurs; authentification défaillante (je ne sais pas
> encore pourquoi); certificats ne passant plus le nouveau niveau
> minimal de sécurité par défaut de la libSSL)
>
>  Je viens de me faire (re)-surprendre par les installeurs cat sous
> Linux, qui effacent sans avertissement toutes les connexions utilisant
> le SSID eduroam. (et deux autres points annexes à la fin)
>
>  Deux alternatives me semblent possibles et peu coûteuses:
>
>  1) Simple et facile: Prévenir l'utilisateur ! Comme pour le
> répertoire .cat_installer avec une fenêtre d'avertissement.
>
>  Par exemple, vers la ligne 213 (avant le certificat)
>
>  if ! ask "Le répertoire $HOME/.cat_installer existe. Certains des
> fichiers qu'il contient peuvent être écrasés." ...
> # AJOUT
>  if ! ask "Toutes les configurations de connections précédentes à
> 'eduroam' vont être effacées" ...
>
>  2) Une alternative serait de n'effacer que la connexion ayant l'id
> "eduroam", celle qui va être écrite
>
> connection_settings = connection.GetSettings()
> if connection_settings['connection']['type'] == '802-11-wireless':
>      conn_ssid =
> self.byte_to_string(connection_settings['802-11-wireless']['ssid'])
>      if conn_ssid == ssid and connection_settings['connection']['id']
> == 'eduroam' :
>           connection.Delete()
>
>  Le deuxième choix change la sémantique de l'installeur (risque de
> résidus chez les utilisateurs), mais il n'a rien de "surprenant"
> (effacement d'un nombre quelconque de données de configuration sans
> préavis).
>
>  Amicalement,
>  Grégory Mounié
>
> Annexe 1: Je trouve "peu sécurisé" de demander le mot de passe et
> forcer son stockage en clair par Networkmanager alors qu'il suffit de
> ne pas le demander (deux fenêtres de questions en moins; stockage
> crypté par le gestionnaire de secret de la session à la première
> connexion si besoin)
>
> Annexe 2: l'utilisation de "nmcli" raccourcirait aussi beaucoup le
> script: 1 seule ligne pour créer le profil à la place de 150 lignes de
> python parlant dbus.
>

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576