MASTER [regression] VPNC plugin - no option to only save group password available

Bug #262191 reported by Thomas N on 2008-08-28
80
This bug affects 7 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
Medium
Debian
Invalid
Undecided
Unassigned
network-manager (Ubuntu)
Undecided
Unassigned
Intrepid
Undecided
Unassigned
network-manager-vpnc (Ubuntu)
Undecided
Alexander Sack
Intrepid
Medium
Alexander Sack

Bug Description

Binary package hint: network-manager

When you connect to a Cisco VPN network with NM 0.7, after you choose connect, you get a prompt where you should enter password and group-key. There is only one option to save the credentials.

Previously you could choose to save the group key but not the password. This was good because when you connect with a dynamic PIN the password is different every time you connect.

Now I have to enter both my dynamic password AND group-key every time I connect.

$ apt-cache policy network-manager
network-manager:
  Installed: 0.7~~svn20080818t061112+eni1-0ubuntu1~nm1~hardy1
  Candidate: 0.7~~svn20080818t061112+eni1-0ubuntu1~nm1~hardy1
  Version table:
 *** 0.7~~svn20080818t061112+eni1-0ubuntu1~nm1~hardy1 0
        500 http://ppa.launchpad.net hardy/main Packages
        100 /var/lib/dpkg/status
     0.6.6-0ubuntu5 0
        500 http://se.archive.ubuntu.com hardy/main Packages

I'm working on adapting the relevant patch from 0.6.4svn2422-0ubuntu5 in Hardy, to the current version of 0.7. Hopefully I can get something that works shortly. As soon as I'll be done I'll also post the patch upstream so it can be included in the svn snapshots. There seems to already be a bug filed on Gnome to fix this on 0.7.0, but it looks to me like there are some issues with parts of that patch too, some functions I can't find in the source anymore. Here is the link to the relevant bug in gnome: http://bugzilla.gnome.org/show_bug.cgi?id=363918

Changed in network-manager-vpnc:
status: New → Confirmed

I'm attaching the revised patch I came up with to fix the issue, and I will be looking at creating a debdiff as soon as I have a chance. This is a patch file straight out of CDBS.

Nice! I'm linking to the gnome bug.

Changed in network-manager:
status: Unknown → Incomplete

The patch probably won't make it to upstream as it currently is; I've got some reviews to make it better. However, I'm attaching a debdiff in case we'd want to integrate this into the network-manager-vpnc package until a reworked way of handling saving group passwords can be implemented upstream; that way at least there is an option to reinstate the functionality that was present in Hardy's network-manager-vpnc 0.6.x.

I'm not sure whether there was a rationale behind dropping the patch in the 0.6.x version beside the fact that it didn't apply cleanly onto 0.7...

James Westby (james-w) wrote :

Hey Matt,

When you have a patch please subscribe one of the sponsors teams,
either "ubuntu-main-sponsors" or "ubuntu-universe-sponsors" so that
your patch can be reviewed for inclusion. I have done this now for you.

You say "The patch probably won't make it to upstream as it currently
is; I've got some reviews to make it better." Do you mean that your patch
has been reviewed and isn't ready? I don't see any comments in the
upstream bug. What were the review comments? If they were just
stylistic that's fine, but anything more and we want to know because
it may influence our decision.

Thanks,

James

James,

It is indeed more of stylistic reviews from the NetworkManager developers on the mailing list. To quote Dan Williams:
"So the reason this didn't get merged in the first place is that when
this is used, the auth dialog looks like ass. Having _3_ buttons there
has confused every user I've ever seen, and makes me read things a few
times whenever I get the dialog. It's just bad UI. Plus, it's not
something you can change in the connection editor out-of-band from
authentication. That's not to say it doesn't fill a need and fix the
bug, but the solution is not one I'd like to have upstream."

I tend to agree that the fix is not ideal in terms of "look and feel" and that's partly why I didn't immediately subscribe u-u-s, because it seemed unclear to be how to handle this patch in light of the discussions about debdiffs on ubuntu-devel mailing list, since it would need some major changes to be merged upstream (working on these changes atm, but not sure how long it will take).

Thanks,

Matt

James Westby (james-w) wrote :

Hi Matt,

I tracked down the discussion on the mailing list

  http://mail.gnome.org/archives/networkmanager-list/2008-October/msg00094.html

thanks for starting that.

As you understand this better than the rest of us I think you need to
suggest a course of action for Intrepid. Should we put this patch in
even though it is not ideal and will be changing at a later date? Should
we just live with the annoyance?

Thanks,

James

It must be better with a not-so-perfect UI than to have reduced functionality.

I make VPN connections through NM probably 2-3 times per day so I absolutely vote to include the patch.

Can't the UI look like it does now in 0.6? I haven't had a problem with that.

Is there any screenshots so one can look at both alternatives?

In terms of usability, I've only really had reviews from one of my coworkers who used a very similar patch I pushed to be adopted in Hardy, and no apparent annoyance there. In terms of other users, I didn't hear of good or bad reviews about the third checkbox :)

I'd probably leave it to Soren Hansen or Alexander Sack to make the call about this, since they are much more familiar with the package and code than I am, I think.

In terms of my personal opinion about this, i think we should probably bring up the patch even if it's not in upstream, if only because the functionality was there in Hardy... I think it's a general rule of thumb (or should be), that you don't want to take a feature out if it's being used. Then again, I am not a MOTU, only starting to get familiar with the guidelines, rules and all. Maybe it be a good idea to bring it up on the ubuntu-devel mailing list?

The fact that there is a bug open about this means that it is; but I'd be interested to know *how much*. I didn't notice much interest in trying to fix the bug in another way that the patch I'm proposing, and I'm since my UI skills are somewhat limited, it might take me a little while to get Dan's proposed way of fixing the bug to a working state -- so far, all I have is the modified UI in glade done. I'll be spending more time on it this weekend.

/ Matt

On Sat, 2008-10-11 at 15:25 +0000, Matt Trudel wrote:
> I'd probably leave it to Soren Hansen or Alexander Sack to make the call
> about this, since they are much more familiar with the package and code
> than I am, I think.

I've just realised, is this a patch to network-manager, or to the
vpnc plugin?

> In terms of my personal opinion about this, i think we should probably
> bring up the patch even if it's not in upstream, if only because the
> functionality was there in Hardy... I think it's a general rule of thumb
> (or should be), that you don't want to take a feature out if it's being
> used. Then again, I am not a MOTU, only starting to get familiar with
> the guidelines, rules and all. Maybe it be a good idea to bring it up on
> the ubuntu-devel mailing list?

I'm not sure it needs to go to ubuntu-devel, I think getting Alexander's
feedback would be a good first step.

> The fact that there is a bug open about this means that it is; but I'd
> be interested to know *how much*. I didn't notice much interest in
> trying to fix the bug in another way that the patch I'm proposing, and
> I'm since my UI skills are somewhat limited, it might take me a little
> while to get Dan's proposed way of fixing the bug to a working state --
> so far, all I have is the modified UI in glade done. I'll be spending
> more time on it this weekend.

Great, thanks.

James

James Westby (james-w) wrote :

Thanks, I'm closing the network-manager (Ubuntu) task, and the
Debian one, as we're not tracking it there, so it's not really necessary.

Thanks,

James

Changed in network-manager:
status: New → Invalid
Magnus Blåudd (msvensson) wrote :

Hi Matt,

maybe an alternative approach is to make the group password that has been filled in the "configuration dialog" be the value that shows up in the "connect dialog". Thus if the user leaves the group password blank in the "configuration dialog", it would be empty also in the "connect dialog". Wouldn't that be an option?

Actually, the "group password" edit box wouldn't event have to show up at all in the "connect dialog" in this case. :)

Best regards
Magnus

this was recently discussed on upstream mailinglist. a patch was provided there too, but NM maintainer didnt want this in his tree because of UI deficiencies:

http://mail.gnome.org/archives/networkmanager-list/2008-October/msg00094.html

Given the nature and that upstream didnt want it, we should thoroughly look how well it works and thus suggest to get this fix into intrepid as a well tested SRU.

Changed in network-manager-vpnc:
status: Confirmed → Triaged

Magnus, this is part of what will be implemented in the revised patch once it will be integrated upstream, but given the changes required it's taking me some time to get it ready. The patch attached is just a simple way of getting it to the same point as it was in 0.6.x, in Hardy.

Alexander, do you mean to look at the patch in the mailing list message you linked (and that James also pointed to before, the same as attached to this bug), or do you mean the UI changes proposed by Dan Williams?

I've worked on addressing the concerns that were brought up by the NM maintainer upstream:

http://mail.gnome.org/archives/networkmanager-list/2008-October/msg00240.html

Although the patch isn't accepted upstream yet (I haven't received any kind of answer), I've built updated packages on my PPA. I can't guarantee that they actually work properly in all cases, they definitely need more testing, but I was able to use these packages successfully to connect to my Cisco VPN. These patches however affect more than just the VPNC plugin, they also modify the network-manager-gnome (network-manager-applet) package. The exact patches applied are also up on my bazaar branch.

Gilbert Mendoza (gmendoza) wrote :

Matt,

I'm anxious to test out what you have in the PPA. Did you modify the UI in the fashion Dan suggested and as you mentioned you would in your last comment of the thread? [1]

I'd like to help you test or in any way I can, so just let me know what needs to be done.

[1] http://mail.gnome.org/archives/networkmanager-list/2008-October/msg00098.html

Alexander Sack (asac) on 2008-10-30
Changed in network-manager:
status: New → Invalid
Changed in network-manager-vpnc:
importance: Undecided → Medium
milestone: none → intrepid-updates
status: New → Triaged

Yes, it's a first take on exactly what Dan Williams suggested: password types in the configuration dialog, and then saving passwords depending on that. I've added something so that as long as it's not a "rekey" or "reprompt" for the passwords, then it only asks for what's necessary.

Take this use case: I'm connecting to my work network, which requires a static group password, which i generally want to save in the keyring, and a dynamic, always-changing user password (SecurID). I set the group password to use "Default", the user password to "OTP" in the configuration dialog (same place as for the gateway and all of that stuff), then save. network-manager should only ask for the securid passcode, the auth-dialog has been modified so that only the user password, in that case, is asked for. Same could apply if the group password was dynamic, or if both passwords were.

Anyway, I'm not saying that this is the way to go, it's just a suggestion I brought up upstream. I think the best course of action currently should be to just patch network-manager-vpnc so that it's at the point where it was in Hardy, and then when and IF the other patch is accepted upstream, then we could integrate it (Jaunty or later).

Of course, another option would be, given enough outside testing, to directly integrate the password types patch in Jaunty Jackalope, and that will bring in an additional case to have the patch accepted upstream (I guess) but that's really not my call; I'm not the upstream maintainer, or the Ubuntu package maintainer, and not even MOTU. Hence why Ubuntu-Universe-Sponsors are subscribed, and we'd be theoretically waiting for Alexander Sack or Soren Hansen's input (and possible code review) before the initial, regression-fixing patch can be applied to the network-manager-vpnc package.

Martin Pitt (pitti) wrote :

Not easily backportable since it means UI changes, but Alex says there might be a good solution without UI changes for Intrepid updates.

Changed in network-manager-vpnc:
assignee: nobody → asac
assignee: nobody → asac
James Westby (james-w) wrote :

Hi,

I'm un-subscribing the sponsors for now. If you wish to have something
uploaded please re-subscribe the team.

Thanks,

James

I'm aware that the latest upstream svn has a fixed applied that resolves the issue. My understanding is that all that would be needed would be to do a new snapshot of the vpnc plugin code (and most likely network-manager as a whole too, though).

I've tried to take a copy of the code in svn, and package it, but I seem to be running in some issues when I compile it in pbuilder. I'm also not 100% sure what the exact proper process would be in packaging something from SVN like this. If someone was interested in giving me a few pointers, I'd happily prepare a package for Jaunty :)

On Fri, Nov 21, 2008 at 06:19:57PM -0000, Matt Trudel wrote:
> I'm aware that the latest upstream svn has a fixed applied that resolves
> the issue. My understanding is that all that would be needed would be to
> do a new snapshot of the vpnc plugin code (and most likely network-
> manager as a whole too, though).
>
> I've tried to take a copy of the code in svn, and package it, but I seem
> to be running in some issues when I compile it in pbuilder. I'm also not
> 100% sure what the exact proper process would be in packaging something
> from SVN like this. If someone was interested in giving me a few
> pointers, I'd happily prepare a package for Jaunty :)
>

we cannot release just 0.7. upstream decided to do a bunch of changes
in the last few weeks that are not suitable for a stable update. We
need to backport all fixes individually.

For this group password thing there is a chance.

 - Alexander

Alexander Sack (asac) wrote :

On Fri, Nov 21, 2008 at 06:19:57PM -0000, Matt Trudel wrote:
> from SVN like this. If someone was interested in giving me a few
> pointers, I'd happily prepare a package for Jaunty :)

For jaunty 0.7 will go up once we are past the SRU rounds. I dont want
to diverge too much until most important issues are sorted in
intrepid.

 - Alexander

Robstarusa (rob-naseca) wrote :

I am having the exact issue described here. Is/will a fix be released? Do encrypted group passwords work as well?

Steve Beattie (sbeattie) wrote :

This bug was found in the Intrepid development cycle; removing regression-potential and marking as regression-release.

Robstarusa (rob-naseca) wrote :

This seems to be fixed in Intrepid backports. For anyone who needs this functionality, you can enable intrepid backports to get it.

Donal (donaljoconnor) wrote :

Hi Robstarusa,

Do you know what version it is? I can't see it after enabling backports and updating my package lists.

I don't think it is. I have intrepid-backports enabled and apt-cache policy says this:

$ apt-cache policy network-manager-vpnc
network-manager-vpnc:
  Installed: 0.7~~svn20081015t024626-0ubuntu1
  Candidate: 0.7~~svn20081015t024626-0ubuntu1
  Version table:
 *** 0.7~~svn20081015t024626-0ubuntu1 0
        500 http://se.archive.ubuntu.com intrepid/universe Packages
        100 /var/lib/dpkg/status
$ apt-cache policy network-manager
network-manager:
  Installed: 0.7~~svn20081018t105859-0ubuntu1.8.10.1
  Candidate: 0.7~~svn20081018t105859-0ubuntu1.8.10.1
  Version table:
 *** 0.7~~svn20081018t105859-0ubuntu1.8.10.1 0
        500 http://se.archive.ubuntu.com intrepid-updates/main Packages
        100 /var/lib/dpkg/status
     0.7~~svn20081018t105859-0ubuntu1 0
        500 http://se.archive.ubuntu.com intrepid/main Packages

Donal (donaljoconnor) wrote :

Just found it. It's available in this repo.

deb http://ppa.launchpad.net/network-manager/ubuntu intrepid main

Alexander Sack (asac) wrote :

fixed in jaunty according to comments (yes, network-manager team ppa has the jaunty version backported).

Changed in network-manager-vpnc:
status: Triaged → Fix Released

Is this going to end up in the official Intrepid repo? I'm not comfortable with installing a piece of security software from an unofficial repo as I use the Cisco plugin in a production environment.

draimus: I use this several hours every day at work and I use PPA. Works great. But of course, that is for my own personal use and my decision doesn't affect any one else :)

Alexander Sack (asac) wrote :

On Tue, Jan 20, 2009 at 06:10:59PM -0000, draimus wrote:
> Is this going to end up in the official Intrepid repo? I'm not
> comfortable with installing a piece of security software from an
> unofficial repo as I use the Cisco plugin in a production environment.
>

The network-manager team maintaing that PPA is the same team doing the
ubuntu work. Its even signed now.

 - Alexander

Richard Lee (rdlee632) wrote :

So... after reading through this bug, it is unclear when this fix will get backported to the intrepid release. Seeing as how this issue has been known, and a fix exists, for several months, I'm not sure what the hold up is.

Changed in network-manager:
status: Incomplete → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in network-manager-vpnc (Ubuntu Intrepid):
status: Triaged → Invalid
Changed in network-manager:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.