Open kousu opened 2 years ago
Tagging @taowa and @joshuacwnewton because ..you were keen. Maybe? Tips on how to phrase this?
While we're at it, https://www.purdue.edu/science/scienceit/mac-vpn-openconnect.html suggests saving the typing everytime you turn on the VPN with
sudo tee -a /etc/sudoers <<EOF
%admin ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
EOF
but that too has to shift subtly depending on os/distro. e.g. on Linux I would do
[kousu@requiem ~]$ sudo tee /etc/sudoers.d/openconnect <<EOF
> $USER ALL=(ALL) NOPASSWD: /usr/bin/openconnect
> EOF
[sudo] password for kousu:
kousu ALL=(ALL) NOPASSWD: /usr/bin/openconnect
[kousu@requiem ~]$
or
[kousu@requiem ~]$ sudo tee /etc/sudoers.d/openconnect <<EOF
> %wheel ALL=(ALL) NOPASSWD: /usr/bin/openconnect
> EOF
[sudo] password for kousu:
%wheel ALL=(ALL) NOPASSWD: /usr/bin/openconnect
[kousu@requiem ~]$
@taowa pointed out that security
might not be much better than just writing the password into the script in the first place:
you'd then have to be giving the
security
command access, which means any application on the terminal could access the password
which seems..right. Is that right? Surely Apple has thought this through somehow, right? Is Keychain tied to TouchID or something?
pass
(which I use) behaves like sudo
: it unlocks for a while then times out and you have to reenter a top level password to use it the next time.
To be honest... I'm sort of bad about this, myself. I do use Bitwarden, but I haven't yet put in the time to figure out how to get it to "just work" via the command line without having to put my bitwarden PW every time... I see threads like this one and then start to feel like life's too short to do all that work for one password. The integration definitely feels worse compared to macOS.
So... yeah, right now I'm hardcoding my VPN username/password into the script. :v
If we really want to discourage this, then I feel like it might actually be less effort (at least for folks on linux) to go through the motions of memorizing this one password, vs. setting up a password manager to be used via the command line. (Since, it feels likely that this would be the only PW that someone's going to be inputting via the command line... the benefits of jumping through those technical hoops probably isn't worth it.)
Joshua Newton, 2021-11-03 16:57 -0400:
If we really want to discourage this, then I feel like it might actually be less effort to go through the motions of memorizing this one password, vs. setting up a password manager to be used via the command line. (Since, it feels likely that this would be the only PW that someone's going to be inputting via the command line... the benefits of jumping through those technical hoops probably isn't worth it.)
I'm... on the fence between "we should be telling people to memorize their pMatricule and password because they will need it for everything they do at Poly" and "their computers are storing it anyway, why not just pull it from wherever it's stored." I think we should give people the choice like this:
The VPN should be set to require your password on each connection.
[Instructions to have it prompt.]
And then have an "advanced users (password manager or plain text storage)" drop down or something and hide:
You VPN password can also be stored in plain text (not recommended) or in your password manager.
# to use your password manager, remove the # at the beginning of the
# next line and specify the command needed to access your password.
# an example for the macOS keychain is below:
# VPN_PASSWORD_CMD=security [...]
# to use a plaintext password (not recommended), replace [VPN password] with your VPN password
# VPN_PASSWORD_CMD='echo -n [VPN password]'
[...]
VPN_PASSWORD_CMD | sudo openconnect [...]
The official way of connecting is listed here: https://www.polymtl.ca/si/acces-securise-rvp-ou-vpn
Not sure if we want to offer support for a different way on connecting to the VPN.
The official way of connecting is listed here: https://www.polymtl.ca/si/acces-securise-rvp-ou-vpn
Not sure if we want to offer support for a different way on connecting to the VPN.
the issue with anyconnect ('official' way) is that AFAIK passwd cannot be added to Keychain
It's also not very linux-friendly. openconnect is supported by people who know Linux better than Cisco.
UMN wrote an entire guide just on installing it (AnyConnect) on linux https://it.umn.edu/services-technologies/how-tos/downloads-guides-install-anyconnect-vpn which includes this "tip":
OTE: Java or an alternative is a pre-requisite and must be installed prior to the AnyConnect installation.
https://intranet.neuro.polymtl.ca/computing-resources/computing-resources-neuropoly#vpn is currently implying you should keep your VPN password (which is also your CAS, eduroam, HR, moodle, ... password) in plaintext.
A better script is for mac users is
However this needs to be used in tandem with
(tips first discovered over in https://github.com/neuropoly/computers/pull/172)
Ideally we'd also cover enough common password managers that anyone can copy-paste for what they use. In
https://github.com/neuropoly/computers/blob/266b179ab400d04dc800854468022ef0be504755/ansible/.vaultpass#L14-L18
I listed
Fix up this page to make sense for everyone.