search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

IPsec Pre-shared key stored as plain text #188

Open 0791HnoeL opened 2 years ago

0791HnoeL commented 2 years ago

Your version 1.20.0 release note says:

Store PSK as a VPN secret, ...

This doesn't work with GNU/Linux distributions like

There is a "Store the password only for this user" option for both VPN user password and IPsec settings pre-shared key, but only the user password gets stored in keyring. IPsec PSK could still be found as plain text in network manager configuration file.

sh3bang commented 4 days ago

same problem here, IPSEC PSK is still stored within configuration file (arch linux, networkmanager-l2tp 1.20.16-1). VPN connection was created with nm-connection-editor 1.36.0-1

dkosovic commented 1 day ago

@sh3bang

When the "Store the password only for this user" option is selected for either the user password or the PSK, they shouldn't be stored in the corresponding .nmconnection config file.

When the "Store the password for all users" is selected, then NetworkManager stores the user password or the PSK under the [vpn-secrets] section of the .nmconnection config file.

The above Store options are available by clicking on the person/people icon in the right of the password or PSK text boxes.

NetworkManager-l2tp used to to do its own thing and store the PSK under the [vpn] section of the .nmconnection config file, newer versions let NetworkManager do the handling of the PSK the same way as the user password is handled.

NetworkManager does the same thing with WiFi passwords and "Store the password for all users" option.

Are you using the "Store the password only for this user" option? If you are, its definitely a bug, unfortunately I'm not able to reproduce it on the Linux distros I've just tested with, but didn't test with Arch Linux.

sh3bang commented 11 hours ago

@dkosovic I have double checked that case (Linux Mint and Manjaro Linux):

"Store the password for all users" is unckecked and "Store the password only for this user" is checked (Option next to the PSK input field). The PSK is still stored in vpn-secret section of /etc/NetworkManager/system-connections/.nmconnection

Only the user password will saved to users keyring.

PS: PSK of WiFi will saved to gnome keyring, no problems!