| View previous topic :: View next topic |
| Author |
Message |
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3246
|
 Posted: Sat Dec 28, 2013 10:14 am Post subject: oh no! wifi passwordsare stored in plain text! |
 |
|
http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e from git | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
 |
Muso
l33t
Joined: 22 Oct 2002
Posts: 685
Location: The Holy city of Honolulu
|
| Posted: Sat Dec 28, 2013 10:18 am Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | That is so incredibly bad! |
Beyond bad, it's stupid.
_________________
People Of Love
Kindness Evokes Kindness
Peace Emits Positive Energy |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1593
Location: U.S.A.
|
| Posted: Sat Dec 28, 2013 1:12 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit. |
What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table. |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3246
|
| Posted: Sat Dec 28, 2013 1:57 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| BoneKracker wrote: | | What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table. |
It's a reflection of the past projected on to the future. 
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e from git | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 428
|
| Posted: Sat Dec 28, 2013 8:43 pm Post subject: |
|
|
The files (though not the directory itself) /etc/NetworkManager/system-connection has permissions of 600, so only root can read them anyway. So this is a non-concern.
Second, pmtwkit already exists (although i am unsure if its been implemented or not) - http://freedesktop.org/wiki/Specifications/secret-storage-spec/ . Although that service is a per-user service, it would make less sense to create a system one since the user keyring are encrypted using the user's password, no such password exists (unless the system has a TPM or similar) on the system so it no better than what's already being done now. |
|
| Back to top |
|
|
wswartzendruber
Veteran
Joined: 23 Mar 2004
Posts: 1240
Location: ID, USA
|
| Posted: Sat Dec 28, 2013 8:53 pm Post subject: |
|
|
| I'm also trying to understand what the big deal is. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16362
Location: Rivendell
|
| Posted: Sat Dec 28, 2013 11:43 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | Now we need [...] However, there is just one problem. All these [...] do not fit this model. |
systemd.
_________________
45 |
|
| Back to top |
|
|
Greens
n00b
Joined: 23 Aug 2013
Posts: 27
|
| Posted: Sun Dec 29, 2013 3:58 pm Post subject: |
|
|
It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1593
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 8:28 pm Post subject: |
|
|
| Yeah, fuck it. |
|
| Back to top |
|
|
Naib
Advocate
Joined: 21 May 2004
Posts: 4950
Location: Removed by Neddy
|
| Posted: Sun Dec 29, 2013 8:55 pm Post subject: |
|
|
| Greens wrote: | It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
exactly... as wswartzendruber posted as well...
thats why I don't mind my samba credential files are "plain text" since they are 600 anyway...
for them to read that and my wifi files... some srs issues must have occured. Nice if they were encrypted BUT if non-root users or non-root process do not need to read them then ... its a problem for another day rather than feeding the sysd monster pushing into the linux userland.
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1593
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 9:35 pm Post subject: |
|
|
| Yeah, that's all the security anybody needs: root access or no root access. |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3246
|
| Posted: Mon Dec 30, 2013 7:14 am Post subject: |
|
|
I guess the ubuntu guys panic because of the bad way sudo is (mis)configured in their systems - any command can be run with sudo, and once credentials are provided, the user remains authenticated for about 15 or so minutes.
Ideally, they either should enable sudo only for some very specific applications by default (package manager, system settings like time, etc), OR they should simply not enable sudo with a timeout. Ask for the user password every single time one needs to access anything using sudo.
_________________
emerge --quiet redefined | E17 vids: I, II | Now using e from git | e18, e19, and kde4 sucks :-/ |
|
| Back to top |
|
|
|
Off the Wall
