No Option To Save Group Password

Bug #91964 reported by Evan Klitzke on 2007-03-13
28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager-vpnc (Ubuntu)
Low
Emmet Hikory

Bug Description

NOTE: if you see this in intrepid (ubuntu 8.10) go to bug 262191 - which tracks this intrepid regression.

Binary package hint: network-manager-vpnc

I have been issued an RSA SecurID by my workplace, which can be used to access the corporate Cisco VPN. The way that the SecurID works is that the VPN has a very long static password, and the user password is a combination of the user's PIN plus the sequence of digits being displayed on the SecurID (which change every 60 seconds). Consequently, I cannot save /both/ my user password and my group password (because the user password changes every minute), but since the group password is very long and static it would be ideal if I could just save that password. Apparently a patch to allow the user to just save the group password has already been applied to the version of network-manager-vpnc in Fedora Core 6. This was in October, so it could very well have been merged upstream, but as it stands it doesn't seem as if it is in the version of network-manager-vpnc I am using in Feisty. The patch that was used by Fedora can be found at http://cvs.fedora.redhat.com/viewcvs/rpms/NetworkManager-vpnc/FC-6/NetworkManager-vpnc-0.7.0-gppasswd.patch?root=extras&hideattic=0&rev=1.1&only_with_tag=NetworkManager-vpnc-0_6_4-1_fc6&view=markup

Given the prevalence of the SecurID cards in corporate environments, and based on several postings I have seen to the Ubuntu forums, it seems like this is definitely a needed feature. As it stands it is simple to add the group password only to the vpnc configuration file to get the same effect, but this is not as nice as the frontend provided by network manager, and the vpnc command must be run as root.

Brad (brad-lackey) wrote :

I too desire this functionality... Many times the group password is static, but the user password changes, so saving them BOTH is not very useful.

Rich Renomeron (rrenomeron) wrote :

I'd go one better -- when you import the .pcf file, it ought to fish out the group password and store it as part of its configuration, along with the connection name, gateway, etc. This would make it act more like the real Cisco client (on Windows).

Evan Klitzke (eklitzke2) wrote :

I'm confirming this since it is in fact a problem, as the other comments have shown. I'm also assigning this to MOTU (I hope I did it correctly!) since I'm applying a patch to fix this, so I want to make sure they see it.

Changed in network-manager-vpnc:
assignee: nobody → motu
status: Unconfirmed → Confirmed
Evan Klitzke (eklitzke2) wrote :

Here's the deal. Not having the patch was too annoying for me to live with, so I downloaded the Fedora patch and applied it against the version of network-manager-vpnc that Feisty ships. It works, and it's awesome to have this feature now. The patch will be in the upstream 0.7.0 release (and may even be in 0.6.5 -- I haven't checked). I'd imagine that Gutsy will ship with that release, and consequently the release of Gutsy will effectively close this bug. Nonetheless, I found that without this patch, network-manager-vpnc is _totally_ unusable for me, and I have to run vpnc in the background manually since that is capable of saving the group password. If it was up to me, I'd backport this fix to Feisty :-) In case some kindly developer wants to do that, I'm attaching my Debianified patch here (i.e. the patch resulting from applying the Fedora patch in a cdbs-edit-patch environment) so that someone can fix this heinous bug.

Also confirming this is significant problem for me.

My employer uses a long string of random characters as the group secret and provides a SecurId card for logging in.

Gilbert Mendoza (gmendoza) wrote :

I know there's a couple more weeks left until Gutsy is officially out, but as of today (Oct. 1, 2007) network-manager-vpnc is still at 0.6.4svn2422. I am hoping 0.7 will be included in the repositories, as this bug is pretty annoying.

I too use multi-factor authentication (SecurID and SafeWord Premier) and wish there was a save group password function as well.

Sandip Bhattacharya (sandipb) wrote :

Same problem here. I need to just save group password, and not user password. I dont want to hunt for my group password whenever I need to log in.

Current workaround that I am using is:
Login successfully once by entering manually the userpassword and grouppassword, and ask for both passwords to be saved in ring(unchecking the session save thing).

The next time when you try to connect to vpnc, vpnc tries to connect using this pair, which obviously fails. Try re-connecting immediately after failure. This time, the dialog pops up with the last saved user/group password. Change just the user password and login successfully.

You will be an eye-sore to the admin when he goes though vpn log, but I think he will be happier to know that you haven't left the group password in the clear somewhere to use everytime you log in.

I've repackaged network-manager-vpnc to include the patch from Fedora. Hopefully it follows all of the guidelines set forth in the PPAQuickGuide and the Packaging Guide. I think it does.

Anyway, here it is, up on my PPA:
https://launchpad.net/~mathieu-tl/+archive

network-manager-vpnc, can be installed the usual way by adding the lines to sources.list and using apt-get update and then apt-get install network-manager-vpnc. Hopefully this won't only be useful to me :)

Attached the debdiff file for the fix.

Upstream bug is #363918. New proposed patch couldn't be applied to 0.6.4svn2422 as it is in Gutsy.

Daniel Holbach (dholbach) wrote :

Sorry, bug spam necessary because of bug 176085.

This bug has a patch attached, which needs review and sponsoring.

Emmet Hikory (persia) wrote :

Thanks for the debdiff. Unfortunately, this cannot be uploaded to hardy in the current state. Please adjust the patch as follows: 1) Move the patch itself into debian/patches; 2) set the version to "0.6.4svn2422-0ubuntu4" (no PPA); 3) set the target (immediately after the version in the changelog) to hardy instead of gutsy. I've unsubscribed ubuntu-universe-sponsors pending these changes. Please resubscribe when they are complete.

Changed in network-manager-vpnc:
assignee: motu → mathieu-tl
status: Confirmed → In Progress

I've updated the debdiff with the suggestions from Emmet Hikory.
- patch in debian/patches (it was already there... unless this is about something else? the file is 03_fix_bug_91964_save_group_password.diff.)
- set the version : 0.6.4svn2422-0ubuntu4 in this debdiff.
- target changed to hardy.

See attached debdiff.

Emmet Hikory (persia) on 2007-12-16
Changed in network-manager-vpnc:
assignee: mathieu-tl → nobody
status: In Progress → Confirmed
Emmet Hikory (persia) on 2007-12-20
Changed in network-manager-vpnc:
assignee: nobody → persia
importance: Undecided → Low
status: Confirmed → In Progress
Emmet Hikory (persia) wrote :

Uploaded. Thanks.

Changed in network-manager-vpnc:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-vpnc - 0.6.4svn2422-0ubuntu4

---------------
network-manager-vpnc (0.6.4svn2422-0ubuntu4) hardy; urgency=low

  * Applied patch for bug #363918: option to save group password (LP: #91964)

 -- Mathieu Trudel <email address hidden> Sun, 16 Dec 2007 12:27:50 -0500

Changed in network-manager-vpnc:
status: Fix Committed → Fix Released
Maxime Chéramy (maxime81) wrote :

I didn't try this new version, I don't know what this patch do exactly but :

With 0.6.4svn2422-0ubuntu3 :

I import a pcf file. The password is obfusced. That's not a problem for my vpnc : IPSec obfuscated secret [the secret string]

But here, network-manager-vpnc ask me my group password ! But I'm not supposed to know it (but I cracked it). So I can't use it.

Is this patch a correction for this issue ?

Unfortunately not. So far, there seems to be no code to handle writing a saved group password (or user password) in an "exported" pcf file from network-manager-vpnc, nor is there code to retrieve the group password from a pcf file. The only thing that changed is to allow network-manager-vpnc to save the group password entered in the authorization dialog into the password manager.

This bug is still present... I would really love to be able to import .pcf files with the group password set. I can't use Cisco VPN with nm-applet otherwise, and I don't want to have to tell all of our Ubuntu users here that they need to use the command-line client.

Gilbert Mendoza (gmendoza) wrote :

This is fixed, unless you have something else in mind. Here's how it works. When you connect to the VPN entry for the first time, you are presented with three options:

1. save passwords for this session (leave unchecked if you use one time passwords).
2. save passwords in keyring (leave unchecked if you use one time passwords).
3. save group password in keyring (check this one)

From that point on, any time you connect in the future, your group password will be saved... and you will be prompted to enter a password. If you're not being prompted to use a password, then you may have one saved in the keyring.

Go to Applications, Accessories, Passwords and Encryption Keys, and click on the far right tab of "passwords". You should see only one entry with the name of your VPN connection and at the tail end it should say "group_password". If you have any VPN related entry other than that for the group password, remove it, and educate your users not to save the password to the keyring when connecting.

bonin5 (bonin5) wrote :

I just upgraded to 8.10 RC and the 0.7.0 network manager + vpnc is definitely missing the 'save group password in the keyring' option. This was working before my upgrade in hardy yesterday.

Can someone make sure that the patch is ported to the version of nm and vpnc in the ibex repository?

This is REALLY important for me as i use this machine for daily work via the vpn!

Thanks,Troy

Gilbert Mendoza (gmendoza) wrote :

This is definitely a regression. I submitted a bug report here.

http://bugzilla.gnome.org/show_bug.cgi?id=558331

I really hope this can be fixed ASAP and packaged for Intrepid, ASAP.

Gilbert, bonin5,

Please look at bug 262191, which specifically addresses this regression. Sadly, it's too late for it to make it into Intrepid with the release today, but I may be fixed in a SRU at a later point.

Matt,

Thanks for the reply. I can live with the inconvenience for a while
(just like in hardy). Hopefully soon it will get corrected.

Troy

On Thu, 2008-10-30 at 14:40 +0000, Matt Trudel wrote:
> Gilbert, bonin5,
>
> Please look at bug 262191, which specifically addresses this regression.
> Sadly, it's too late for it to make it into Intrepid with the release
> today, but I may be fixed in a SRU at a later point.
>

Alexander Sack (asac) on 2008-10-31
description: updated
Richard Lee (rdlee632) wrote :

What's the plan on getting this fix into intrepid? Seems that everyone agrees it is a known and severe functionality problem and there is a patch to fix it. What's the hold up?

bonin5 (bonin5) wrote :

Richard - I agree with ya. I use this daily to vpn into our corp net.

*patiently waiting*

Thanks,Troy

On Wed, 2009-02-18 at 15:58 +0000, Richard Lee wrote:
> What's the plan on getting this fix into intrepid? Seems that everyone
> agrees it is a known and severe functionality problem and there is a
> patch to fix it. What's the hold up?
>

Richard Lee (rdlee632) wrote :

Today I got an apt update that has the fix in it! Hurrah! Thx!

You can now set either the user or group password to ask every time or be remembered or be ignored.

Nick Phillips (nick-phillips) wrote :

For those with the obfuscated group password needing to know the group password - download & build the deobfuscator available from http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.