[solved] networkmanager unclear ebuild msg re: psk-flags=1

[equaeghe]

I updated my system today and in a triggered rebuild of networkmanager, I got

Code: Select all

 * Messages for package net-misc/networkmanager-1.0.2-r1:

 * You have psk-flags=1 setting in above files, you will need to
 * either reconfigure affected networks or, at least, set the flag
 * value to '0'.

Given that there are no ‘above files’ mentioned, I have no clear idea what I should do. Can anybody give me a pointer?

[Fitzcarraldo]

It is referring to the files in the directory /etc/NetworkManager/system-connections/

Excerpts from man nm-settings:

Code: Select all

Table 26. 802-11-wireless-security setting

Code: Select all

       ├────────────────────┼───────────────────────┼──────────────────────────┼─────────────────────────────┤
       │psk-flags           │ NMSettingSecretFlags  │                          │ Flags indicating how to     │
       │                    │ (uint32)              │                          │ handle the "psk" property.  │
       │                    │                       │                          │ (see the section called     │
       │                    │                       │                          │ “Secret flag types:” for    │
       │                    │                       │                          │ flag values)                │
       ├────────────────────┼───────────────────────┼──────────────────────────┼─────────────────────────────┤

Code: Select all

  Secret flag types:
       Each secret property in a setting has an associated flags property that describes how to handle that secret. The flags property is
       a bitfield that contains zero or more of the following values logically OR-ed together.

       ·   0x0 (none) - the system is responsible for providing and storing this secret.

       ·   0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required,
           agents will be asked to provide it.

       ·   0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required. This flag
           should be used for One-Time-Pad secrets, PIN codes from hardware tokens, or if the user simply does not want to save the
           secret.

       ·   0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag
           hints that the secret is not required and should not be requested from the user.

Excerpt from the blog post http://lauri.võsandi.com/cfgmgmt/networ ... tions.html

There is also psk-flags=1 which means that NetworkManager won't store the secret (WPA2 pre-shared key) for this wireless network. Instead that task is delegated to the nm-applet which in turn uses GNOME keyring daemon to fetch the secrets from user's wallet. This way the secrets are stored in the user's home directory in an encrypted fashion assuming the uses sets the passphrase for his wallet properly. To store the secret in the NetworkManager configuration you need to add psk=secret to the configuration AND remove the psk-flags=1 line.

[equaeghe]

Excerpt from the blog post http://lauri.võsandi.com/cfgmgmt/networ ... tions.html

There is also psk-flags=1 which means that NetworkManager won't store the secret (WPA2 pre-shared key) for this wireless network. Instead that task is delegated to the nm-applet which in turn uses GNOME keyring daemon to fetch the secrets from user's wallet. This way the secrets are stored in the user's home directory in an encrypted fashion assuming the uses sets the passphrase for his wallet properly. To store the secret in the NetworkManager configuration you need to add psk=secret to the configuration AND remove the psk-flags=1 line.

But I want the functionality provided by psk=1. So why does the ebuild message instruct me to reconfigure the connection?

[Fitzcarraldo]

Well, according to the ebuild contents:

Code: Select all

# NM shows lots of errors making nmcli neither unusable, bug #528748 upstream bug #690457
if grep -r "psk-flags=1" "${EROOT}"/etc/NetworkManager/; then
        ewarn "You have psk-flags=1 setting in above files, you will need to"
        ewarn "either reconfigure affected networks or, at least, set the flag"
        ewarn "value to '0'."
fi

If you look at the Gentoo bug report referred to in the ebuild, and the GNOME bug report (especially Comments 8, 9 and 10) referred to in the ebuild, 'psk-flags=1' should be replaced by 'psk=<password>' so that the 'nmcli' command works properly. That's all I know.

[equaeghe]

Thanks, Fitzcarraldo. I've added some info to Bug 528748 that may be useful.

[Fitzcarraldo]

If you don't like the password to be stored in plain text in the files in /etc/NetworkManager/system-connections/ (and I don't blame you), the Arch Linux Wiki article for NetworkManager has the following:

https://wiki.archlinux.org/index.php/Ne ... _passwords

Encrypted Wi-Fi passwords

By default, NetworkManager stores passwords in clear text in the connection files at /etc/NetworkManager/system-connections/. To print the stored passwords, use the following command:

Code: Select all

# grep -H '^psk=' /etc/NetworkManager/system-connections/*

The passwords are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. nm-applet).

If it is preferable to save the passwords in encrypted form instead of clear text, this can be achieved by storing them in a keyring which NetworkManager then queries for the passwords. A suggested keyring daemon is GNOME Keyring or (for KDE specifically) KDE Wallet. The keyring daemon has to be started and the keyring needs to be unlocked for the following to work.

Furthermore, NetworkManager needs to be configured not to store the password for all users. Using GNOME nm-applet, run nm-connection-editor from a terminal, select a network connection, click Edit, select the Wifi-Security tab and click on the right icon of password and check Store the password for this user. Using KDE's kdeplasma-applets-plasma-nm, click the applet, click on the top right Settings icon, double click on a network connection, in the General settings tab, untick all users may connect to this network. If the option is ticked, the passwords will still be stored in clear text, even if a keyring daemon is running.

If the option was selected previously and you un-tick it, you may have to use the reset option first to make the password disappear from the file. Alternatively, delete the connection first and set it up again.

The downside of using the keyring is that the connections have to be set up for each user.

In my case I had configured my laptop's various Wi-Fi connections in KDE using the plasma-nm widget, and I did have 'psk-flags=1' without 'psk=<password>' in most of my Wi-Fi system-connections files but found 'psk=<password>' and no 'psk-flags=' in a connection I created recently. I don't have 'All users may connect to this network' ticked for any of them (but that's because I unticked it for each connection, if I recall correctly). Anyway, I don't normally use nmcli and I wonder whether it actually works properly these days with 'psk-flags=1' in the Wi-Fi system-connections files (the Gentoo and GNOME bug reports were issued regarding 0.9.x versions of NetworkManager). In other words, I wonder whether the warning about 'psk-flags=1' when one installs/upgrades NetworkManager is actually no longer valid.

[equaeghe]

[...], I wonder whether the warning about 'psk-flags=1' when one installs/upgrades NetworkManager is actually no longer valid.

Well, it seems to me that psk-flags=1 should still be valid:

https://developer.gnome.org/libnm/stabl ... OWNED:CAPS

The problem seems to be in nm-cli, or am I wrong?

[Fitzcarraldo]

No, you're not wrong.

That's what I'm saying: I wonder if the bug [with the nmcli part of the networkmanager package] has been fixed since networkmanager-0.9.x and if, actually, that warning message about 'psk-flags=1' displayed by the later ebuilds is no longer valid.

man nmcli shows that nmcli has a lot of functionality. I don't normally use nmcli, but if I try a few of the nmcli commands I don't see any problems with its output even if I have 'psk-flags=1' in the Wi-Fi system-connections files. Hence my speculation that the ebuild ewarn message is no longer valid. I would be tempted to file a bug report against the networkmanager-1.0.2-r1 ebuild and later versions (I'm using 1.0.6 now) to tell the Gentoo developers to remove the 'psk-flags=1' ewarn message from the ebuild. However, as I do not use the nmcli command, I don't know if all the problems with it in 0.9.x have been resolved in the later releases. I will therefore leave it to a nmcli user to file such a bug report.

Anyway, the bottom line as far as I'm concerned is that I will leave the 'psk-flags=1' line in my Wi-Fi system-connections files, continue to use the KDE Wallet to store the passwords, and ignore the ewarn message about 'psk-flags=1' displayed by the networkmanager-1.0.2-r1 and networkmanager-1.0.6 ebuilds (I have not tried using networkmanager-1.0.4-r1).

Code: Select all

$ eix -I networkmanager
[I] net-misc/networkmanager
     Available versions:  1.0.2-r1 ~1.0.4-r1 1.0.6 {bluetooth connection-sharing consolekit +dhclient dhcpcd gnutls +introspection +modemmanager ncurses +nss +ppp resolvconf selinux systemd teamd test vala +wext +wifi zeroconf ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" KERNEL="linux"}
     Installed versions:  1.0.6(02:47:13 14/09/15)(bluetooth consolekit dhclient introspection modemmanager ncurses nss ppp wext wifi zeroconf -connection-sharing -dhcpcd -gnutls -resolvconf -selinux -systemd -teamd -test -vala ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" KERNEL="linux")
     Homepage:            https://wiki.gnome.org/Projects/NetworkManager
     Description:         Universal network configuration daemon for laptops, desktops, servers and virtualization hosts