NetworkManager stores wifi passwords in plain text

This is by design. The passwords are stored in files which have appropriate permissions, and the system must be able to retrieve them to transmit to wireless networks. Obfuscating the passwords in those files in a recoverable way would not improve security.

Those files do not have appropriate permissions. Anyone with root access can read them. While we do have a certain amount of trust in our administrators we do not want to hand them the passwords of our users. We have wireless networks that use the users credentials and not some random password. This "design" now allows us to log on to any laptop in our organisation and find the users credentials.

This is a really terrible "design".

I also notice that VPN-connection somehow manages NOT to store the password in /etc...

If you want to store wifi passwords on a per-user basis, you should create user wifi connections, not system wifi connections. When creating the connection, uncheck the "Available to all users" check box.

Please be aware that even if wifi passwords are stored in the user's keyring, it is still trivial for the root user to obtain them.

If you disagree with the Network Manager design, please file a bug upstream here:

https://bugzilla.gnome.org/

Thanks.

As long as it is not in plain text in a file on the filesystem I do not care.

We want users to be able to set up wireless connections and select available networks. As far as I have acertained this is accomplished by giving them rights to org.freedesktop.NetworkManager.settings.modify.system.

If we do this passwords WILL be stored in plain text in /etc.

Storing passwords in plain text will *allways* and in any circumstances be a bad design.

The VPN test I set up did not store my password in plain text, and yet mysteriously managed to start again without prompting me for a password.

"If you disagree with the Network Manager design, please file a bug upstream here:

https://bugzilla.gnome.org/

Thanks."

Well thats what happens when I spend too long thinking about an answer. The other part slips one in unseen :)

I will do as you ask.

If connections are created with "Available to all users" unchecked, the
password will be saved in the user's keyring.

The policy access you need for this is ...modify.own, not system; and will
give sufficient access for the users to create wifi connections for their
own use, while not allowing modifications to provisioned settings. Giving
modify.system access is equivalent to giving administrator access for
changing/reading the connections created system-wide (the default), and
seeing the passwords from the UI.
Le 3 oct. 2012 09:45, "Ingar Smedstad" <email address hidden> a
écrit :

> As long as it is not in plain text in a file on the filesystem I do not
> care.
>
> We want users to be able to set up wireless connections and select
> available networks. As far as I have acertained this is accomplished by
> giving them rights to
> org.freedesktop.NetworkManager.settings.modify.system.
>
> If we do this passwords WILL be stored in plain text in /etc.
>
> Storing passwords in plain text will *allways* and in any circumstances
> be a bad design.
>
> The VPN test I set up did not store my password in plain text, and yet
> mysteriously managed to start again without prompting me for a password.
>
> --
> You received this bug notification because you are subscribed to
> network-manager in Ubuntu.
> https://bugs.launchpad.net/bugs/1060907
>
> Title:
> NetworkManager stores wifi passwords in plain text
>
> Status in “network-manager” package in Ubuntu:
> Invalid
>
> Bug description:
> /etc/NetworkManager/system-connections/some-wireless-profile contains
> plain text passwords.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1060907/+subscriptions
>

That may work - IF you create a connection from scratch. People mostly does not do this and I am not going to require my users to learn how to do this either.

The normal way of connecting with wireless is to select a connection from the list. If this is a "secure" connection the user is required to provide a password. There are no options "Available to all users" in that dialog and if you do not have rights in org.freedesktop.NetworkManager.settings.modify.system you will not be able to create that connection.

And the behaviour you describe is also not what I experience. I created a wireless connection and removed "Available to all user". NM still stores the password in /etc. IT just adds another option which tells who can user it:

[connection]
id=test
uuid=8e585656-1ca1-42a2-8172-8341a1d052c5
type=802-11-wireless
permissions=user:ism001:;

[802-11-wireless]
ssid=test
mode=infrastructure
mac-address=08:11:96:C2:02:B4
security=802-11-wireless-security

[802-11-wireless-security]
key-mgmt=wpa-eap
wep-key-flags=1
psk-flags=1
leap-password-flags=1

[ipv4]
method=auto

[ipv6]
method=auto

[802-1x]
eap=peap;
identity=username
phase2-auth=mschapv2
password=mypassword
password-raw-flags=1

I am also having issues with this. In my use case, with NetworkManager-1.0.9.6.4-3.fc17 (64-bit), I have a VPN connection for a non-root user which is set to NOT connect automatically and NOT allowed on a system basis. If I do not enter a passphrase I cannot save the VPN configuration. If I do add a passphrase it is stored under /etc/ with only root permissions rw permissions as 'protection'. As far as I remember,I was not offered the option to store to keyring when I set it up - nor would I want it to.

There seems to be an implicit requirement in the design, or belief in the authors, that the password should be stored - I have no idea why this should be. There is further the belief that storing it as plain-text is as safe as it needs to be - perhaps if you're storing it in /etc or in the users keyring that's true, but there is life beyond them.. which is just as well given their limitations.

It used to be possible to create configurations without passwords/passphrases, which lead to a prompt for credentials when making a connection using such a configuration - this seems eminently sensible, especially if the passphrase can be protected in memory or otherwise safe-guarded (as done elsewhere). That this ability it no longer there, it would seem to indicate that there was a conscious decision to remove it - if so, can I ask what the thinking was behind it ?... if not, why was it then removed ?

It may look as this is an implementation problem rather than a problem with Network Manager itself. Though I still believe that even allowing passwords to be stored as text is a security flaw, it is possible to configure NM so that it does not store passwords in text files. I have tried KDE and had no problem saving the password in the Kwallet. I wonder why Unity is not configured like KDE.

Is the problem with nm-connection-editor, NetworkManager or somewhere else entirely? It may help if I can log a report with the right tool :=)

The problems I have identified so far:
1. If you have the rights org.freedesktop.NetworkManager.settings.modify.own you will not be able to make a connection by selecting available networks.
2. The option "Available to all users" seems to be implied when you select a connection from available networks.
3. When you give them org.freedesktop.NetworkManager.settings.modify.system I see no way of enforcing "Ask for this password every time"
4. Even when you make a connection that is not available to all users it still stores the password as text in /etc/NM... and only add the user name that is allowed to use the connection.

What we need is the possibility to create a connection by selecting it from the list of available networks (eduroam) and have it so that the password for each user is stored in the users wallet or keyring.

This requires implementation of user connection

seen here - https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1116317 .