| View previous topic :: View next topic |
| Author |
Message |
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3229
|
 Posted: Sat Dec 28, 2013 10:14 am Post subject: oh no! wifi passwordsare stored in plain text! |
 |
|
http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e17 | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
 |
Muso
l33t
Joined: 22 Oct 2002
Posts: 656
Location: The Holy city of Honolulu
|
| Posted: Sat Dec 28, 2013 10:18 am Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | That is so incredibly bad! |
Beyond bad, it's stupid.
_________________
I, for one, am glad to be living on a planet with 776x the mass of the super-massive black hole at the center of the milky way just to keep Neptune in its daily orbit around the Earth.
auf alten Schiffen lernt man Segeln. |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1570
Location: U.S.A.
|
| Posted: Sat Dec 28, 2013 1:12 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit. |
What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table.
_________________
Deja Moo: the feeling that you've heard this bull before |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3229
|
| Posted: Sat Dec 28, 2013 1:57 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| BoneKracker wrote: | | What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table. |
It's a reflection of the past projected on to the future. 
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e17 | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 422
|
| Posted: Sat Dec 28, 2013 8:43 pm Post subject: |
|
|
The files (though not the directory itself) /etc/NetworkManager/system-connection has permissions of 600, so only root can read them anyway. So this is a non-concern.
Second, pmtwkit already exists (although i am unsure if its been implemented or not) - http://freedesktop.org/wiki/Specifications/secret-storage-spec/ . Although that service is a per-user service, it would make less sense to create a system one since the user keyring are encrypted using the user's password, no such password exists (unless the system has a TPM or similar) on the system so it no better than what's already being done now. |
|
| Back to top |
|
|
wswartzendruber
Veteran
Joined: 23 Mar 2004
Posts: 1233
Location: Jefferson, USA
|
| Posted: Sat Dec 28, 2013 8:53 pm Post subject: |
|
|
| I'm also trying to understand what the big deal is. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16117
Location: Colorado
|
| Posted: Sat Dec 28, 2013 11:43 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | Now we need [...] However, there is just one problem. All these [...] do not fit this model. |
systemd.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.
In Loving Memory
1787 - 2008 |
|
| Back to top |
|
|
Greens
n00b
Joined: 23 Aug 2013
Posts: 27
|
| Posted: Sun Dec 29, 2013 3:58 pm Post subject: |
|
|
It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1570
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 8:28 pm Post subject: |
|
|
Yeah, fuck it.
_________________
Deja Moo: the feeling that you've heard this bull before |
|
| Back to top |
|
|
Naib
Advocate
Joined: 21 May 2004
Posts: 4336
Location: Removed by Neddy
|
| Posted: Sun Dec 29, 2013 8:55 pm Post subject: |
|
|
| Greens wrote: | It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
exactly... as wswartzendruber posted as well...
thats why I don't mind my samba credential files are "plain text" since they are 600 anyway...
for them to read that and my wifi files... some srs issues must have occured. Nice if they were encrypted BUT if non-root users or non-root process do not need to read them then ... its a problem for another day rather than feeding the sysd monster pushing into the linux userland.
_________________
the table is made from wood. forget what you learnt, the table is made from carbon. forget what you learnt, the table is made from protons. forget what you learnt, the table is made from quarks. forget what you learnt, the table is good for shagging on |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1570
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 9:35 pm Post subject: |
|
|
Yeah, that's all the security anybody needs: root access or no root access.
_________________
Deja Moo: the feeling that you've heard this bull before |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3229
|
| Posted: Mon Dec 30, 2013 7:14 am Post subject: |
|
|
I guess the ubuntu guys panic because of the bad way sudo is (mis)configured in their systems - any command can be run with sudo, and once credentials are provided, the user remains authenticated for about 15 or so minutes.
Ideally, they either should enable sudo only for some very specific applications by default (package manager, system settings like time, etc), OR they should simply not enable sudo with a timeout. Ask for the user password every single time one needs to access anything using sudo.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e17 | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
|
|
Off the Wall
