Network Manager doesn't use 802.1x password entered in GUI

Bug #1643737 reported by StuS on 2016-11-22
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Low
Unassigned

Bug Description

This is a bug that seems to constantly re-surface across multiple versions in Ubuntu, and I've seen it in other distributions as well.

Scenario:
  I want to enable 802.1x on a wired (*not* wireless), ethernet connection. I enter my identity, my computer cert, my ca cert, my private key file, and my password for my private key.

What doesn't work:
I confirm the password works by using openssl. NetworkManager does not save the password. When I am asked to re-enter it, the connection fails. I look in syslog, and it complains about the private key password being blank.

Workaround:
Open the file:

/etc/NetworkManager/system-connections/[Your network connection]
Example:
$> vim /etc/NetworkManager/system-connections/Wired\ connection\ 1

Add the field:
private-key-password=[your password]

Example:
private-key-password=UtterlyPointlessGloballyReadableStoredInPlaintextPassword

Save the file.

Attempt to re-connect. (and it worked for me).
Look in Network Manager UI, the password seems to now be stored.

Expected behavior:
Entering the password in the GUI works (i.e, it is saved to the file, or at least used temporarily when connecting, either way - the latter would be more secure)

Additionally, this whole thing is pretty lame, because Network Manager restricts you to using an encrypted private key, but this is dumb, because the password is then stored in a globally readable file in plaintext. Or you can decide to not save a password, and enter every time in a gui that fails to use the password you type in.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: network-manager 1.2.0-0ubuntu0.16.04.3
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Nov 21 17:52:44 2016
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2016-11-21 (0 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
IpRoute:
 default via 10.0.50.1 dev eno1 proto static metric 100
 10.0.50.0/23 dev eno1 proto kernel scope link src 10.0.50.207 metric 100
 10.0.254.32 via 10.0.50.1 dev eno1 proto dhcp metric 100
 169.254.0.0/16 dev eno1 scope link metric 1000
IwConfig:
 lo no wireless extensions.

 eno1 no wireless extensions.
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
RfKill:

SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
nmcli-con:
 NAME UUID TYPE TIMESTAMP TIMESTAMP-REAL AUTOCONNECT AUTOCONNECT-PRIORITY READONLY DBUS-PATH ACTIVE DEVICE STATE ACTIVE-PATH
 Wired connection 1 fcbffec0-f9e4-4405-acfa-1cd80dec7362 802-3-ethernet 1479779500 Mon 21 Nov 2016 05:51:40 PM PST yes 4294966297 no /org/freedesktop/NetworkManager/Settings/0 yes eno1 activated /org/freedesktop/NetworkManager/ActiveConnection/0
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH CONNECTION CON-UUID CON-PATH
 eno1 ethernet connected /org/freedesktop/NetworkManager/Devices/0 Wired connection 1 fcbffec0-f9e4-4405-acfa-1cd80dec7362 /org/freedesktop/NetworkManager/ActiveConnection/0
 lo loopback unmanaged /org/freedesktop/NetworkManager/Devices/1 -- -- --
nmcli-nm:
 RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN
 running 1.2.0 connected started full enabled enabled enabled enabled enabled

StuS (stu26code) wrote :
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Changed in network-manager (Ubuntu):
importance: Undecided → Low
MaEcTPo (olegik-ua) wrote :

Hello,

why it has Low importance?

Here is the same bug for Gnome, but it's fixed and, as described, this bug affects lots of people.
https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1579246

I'm affected by this bug every 3 months after my corporate password is expired.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
MaEcTPo (olegik-ua) on 2017-01-16
information type: Public → Public Security
StuS (stu26code) wrote :

Finally got around to filing upstream:

https://bugzilla.gnome.org/show_bug.cgi?id=779201

(as part of my periodic TLS cert renewal, I had to look up this bug to reference my workaround - it might be nice if their was some clear documentation in man NetworkManager.conf on the "private-key-password" config key)

StuS (stu26code) wrote :

Also, re-reading this revealed the bug has slightly changed:

Note this time around, the password seems to re-appear in the GUI after being entered - however, it's not stored in the conf file, and I'm promoted to enter it upon reboot, so it's now:

  - storing it somewhere (maybe somewhere preferrable to a globally readable file!)
  - and then not using it upon reboot.

After entering it in the conf file, it started working again, upon reboot.

Note that this version has been updated to:

root@stuart:/etc/pam.d# apt list network-manager
Listing... Done
network-manager/xenial-updates,now 1.2.2-0ubuntu0.16.04.3 amd64 [installed,automatic]

So it's getting better, but not there yet.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.