Ubuntu
network-manager-applet package

"Unencrypted private keys are insecure" message is vague and unhelpful

Bug #1339607 reported by Andrea Corbellini
192
This bug affects 43 people
Affects Status Importance Assigned to Milestone
network-manager-applet (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Steps to reproduce:
1. Set up a wireless connection with WPA security and an unencrypted private key.
2. Make sure Network Manager will connect as soon as the wireless network is available.
2. Reboot the computer.

What happens:
Network manager will connect to the network during boot. If it completes before login, you are presented with the following message:

> Unencrypted private keys are insecure
> The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.
>
> (You can password-protect your private key with openssl)

This message is really uninformative and unhelpful for many reasons:
* It does not tell me which program/key is the problem. Initially I though that the problem had to do with one of my SSH keys. I had to grep the message in /usr/bin in order to understand who was showing it.
* It does not tell why exactly unencrypted keys are insecure. In fact, someone might say they aren't.
* It does not tell how to encrypt them. "You can password-protect your private key with openssl" does not mean anything, even to a person who knows what OpenSSL is.

TL;DR: you are warned about a problem which does not exist, without being told what it is and how to solve it.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: network-manager-gnome 0.9.8.8-0ubuntu4.2
ProcVersionSignature: Ubuntu 3.13.0-31.55-generic 3.13.11.4
Uname: Linux 3.13.0-31-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 9 10:51:28 2014
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2013-10-23 (258 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
IpRoute:
 default via 10.169.169.254 dev wlan0 proto static
 10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1
 10.169.169.0/24 dev wlan0 proto kernel scope link src 10.169.169.100 metric 9
 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
SourcePackage: network-manager-applet
UpgradeStatus: Upgraded to trusty on 2014-03-25 (105 days ago)
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH
 eth0 802-3-ethernet unavailable /org/freedesktop/NetworkManager/Devices/1
 wlan0 802-11-wireless connected /org/freedesktop/NetworkManager/Devices/0
nmcli-nm:
 RUNNING VERSION STATE NET-ENABLED WIFI-HARDWARE WIFI WWAN-HARDWARE WWAN
 running 0.9.8.8 connected enabled enabled enabled enabled disabled

Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-applet (Ubuntu):
status: New → Confirmed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

What's more confusing is that my private key _is_ protected with a password and it's stored in the network manager config.

Revision history for this message
Brian Morris (brian-morris-h) wrote :

I confirm the same behavior that Dmitri sees. I have an encrypted private key configured with its password within the Network Manager which belongs to a wifi connection. When that connection is found at boot time, I receive this warning message regardless of whether the key is encrypted, or not.

This is quite misleading.

Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

This message is no longer appearing since I upgraded to vivid.

Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :

Actually, I was wrong. Forget my last message.

Revision history for this message
Björn Ramberg (bjoern-ramberg) wrote :

I can confirm this too.
My private key starts like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,509FB430BEB25072

And I can add my pass phrase to network manager and it will apply without issues. However, if i restart my machine, it will during the lightdm login complain about that the key is unsafe and unencrypted.
When i log in the pass phrase is gone and i have to fill it in again.

Description: Ubuntu 14.04.3 LTS
Linux hostname 3.16.0-50-generic
network-manager 0.9.8.8-0ubuntu amd64
network-manager-gnome 0.9.8.8-0ubuntu amd64

Revision history for this message
Fredrik Svensson (esefrsv) wrote :

I mitigated the issue on my system by unchecking "All users may connect to this network" on said Wifi-connection in network manager.
Still not a solution though.

Revision history for this message
nemith (bennetb) wrote :

Having this issue on Xenial. May be a regression

Revision history for this message
franzb (fbrummer-gmail) wrote :

Can confirm the regression for 16.04. Network manager started to complain about private key not beeing password protected but it definitely is. I tried it with a freshly created key with password to no avail.

Revision history for this message
Sebastien Bacher (seb128) wrote :

that seems similar to bug #1573720 which has been reported upstream on https://bugzilla.gnome.org/show_bug.cgi?id=766684

Revision history for this message
Conrad Kostecki (conikost) wrote :

I am also affected by this bug on 16.04.

Revision history for this message
bev (benno-martin-evers) wrote :

I'm also seeing this issue on xenial. Looking at the source package, the message is generated in wireless-security/eap-method-tls.c:

        /* Warn the user if the private key is unencrypted */
        if (!eap_method_is_encrypted_private_key (filename)) {
  [...]
                gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (dialog),
                                                          "%s",
                                                          _("The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.\n\n(You can password-protect your private key with openssl)"));
  [...]
        }

However, this is highly misleading, since eap_method_ins_encrypted_private_key() returns false for various other reasons, in particular when the file cannot be opened or has the wrong extension.

Revision history for this message
Kitsab (kitsab) wrote :

Hello,

a few days ago I incientially found a way to resolve the issue on my ubuntu 16.04 machine.
For me the issue appeared as a popup every time the lightdm login screen was loaded.

As I added another user I moved the certificate folder which contains the certificates from my encrypted home folder the a subfolder of root ie. /mycertsfolder/certificatefile.cer, the issue was gone.

The reason I did this was the encrypted home folder was not readable by the new user that was added.

Hopefully this helps

best regards

Kitsab

Revision history for this message
Mircea (mirceanis) wrote :

Kitsab, you saved me.

I can confirm that the issue has disappeared for me as well after disabling home-folder encryption.

Thanks

Revision history for this message
Ra (raffamaiden) wrote :

I confirm this bug with an encrypted key. In my case the problem was that the keyfile was inside a drive that was not mounted at boot. So nm-applet tried to open a non-existent file, and the result was an error message saying the key is not encrypted. This should be fixed

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.