nm-l2tp
IPsec Pre-shared key stored as plain text
Your version 1.20.0 release note says:
Store PSK as a VPN secret, ...
This doesn't work with GNU/Linux distributions like
- Debian 10.9.0 "Buster" (network-manager-l2tp 1.20.2)
- Ubuntu 22.04 "Focal Fossa" (network-manager-l2tp 1.20.0)
- Linux Mint 20.3 "Una" (network-manager-l2tp 1.20.4)
There is a "Store the password only for this user" option for both VPN user password and IPsec settings pre-shared key, but only the user password gets stored in keyring. IPsec PSK could still be found as plain text in network manager configuration file.
same problem here, IPSEC PSK is still stored within configuration file (arch linux, networkmanager-l2tp 1.20.16-1). VPN connection was created with nm-connection-editor 1.36.0-1
@sh3bang
When the "Store the password only for this user" option is selected for either the user password or the PSK, they shouldn't be stored in the corresponding .nmconnection config file.
When the "Store the password for all users" is selected, then NetworkManager stores the user password or the PSK under the [vpn-secrets] section of the .nmconnection config file.
The above Store options are available by clicking on the person/people icon in the right of the password or PSK text boxes.
NetworkManager-l2tp used to to do its own thing and store the PSK under the [vpn] section of the .nmconnection config file, newer versions let NetworkManager do the handling of the PSK the same way as the user password is handled.
NetworkManager does the same thing with WiFi passwords and "Store the password for all users" option.
Are you using the "Store the password only for this user" option? If you are, its definitely a bug, unfortunately I'm not able to reproduce it on the Linux distros I've just tested with, but didn't test with Arch Linux.
@dkosovic I have double checked that case (Linux Mint and Manjaro Linux):
"Store the password for all users" is unckecked and "Store the password only for this user" is checked (Option next to the PSK input field). The PSK is still stored in vpn-secret section of /etc/NetworkManager/system-connections/<Name of VPN Connection>.nmconnection
Only the user password will saved to users keyring.
PS: PSK of WiFi will saved to gnome keyring, no problems!
@sh3bang
I updated my Arch Linux VM to the latest and wasn't able to reproduce the issue. I suspect we are using different secret service agents (e.g. KeypassXC, KSecretsService , GNOME Keyring, etc) so might be seeing different behaviours especially when ipsec-psk-flags=0 isn't getting recorded under the [vpn] section when "Store the password only for this user" is selected, (ipsec-psk-flags=1 is correctly getting recorded when "Store the password for all users" is selected).
So, I think fixing the code so that ipsec-psk-flags=0 gets recorded in the [vpn] section, i.e. the vpn.data field is a good starting point to fix the issue. So, at least it'll be consistent with password-flags=0 which is getting recorded.
I wasn't the author of the code that migrated ipsec-psk from the [vpn] section to the [vpn-secrets] section:
- https://github.com/nm-l2tp/NetworkManager-l2tp/issues/78
- https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5de6e5d2988fb74fa6570baeadf26de8aa538365
But was responsible for the commit that originally closed this issue and had the following code :
if (pw_flags != NM_SETTING_SECRET_FLAG_NONE) {
g_hash_table_insert(hash,
g_strdup(NM_L2TP_KEY_IPSEC_PSK "-flags"),
g_strdup_printf("%d", pw_flags));
}
I suspect there shouldn't be a if (pw_flags != NM_SETTING_SECRET_FLAG_NONE) { conditional so that ipsec-psk-flags is always getting recorded in the [vpn] section.
I just want to do a bit more testing before comiting the code.
@sh3bang i have double checked again (Linux Mint and Manjaro Linux).
On Manjaro the PSK can suddenly stored correctly in gnome-keyring and removed from .nmconnection config file (while ipsec-psk-flags=1 is added to .nmconnection config file) when choosing option to save PSK just for the current user. But i did nothing! (installed package nm-connection-editor 1.36.0-1; maybe updated!?)
On Linux-Mint nothing changed, PSK will resist in config file (installed package network-manager-gnome 1.24.0+mint2+vanessa). Flag ipsec-psk-flags will always removed from config file
Ahh, that behavior is starting to make more sense to me.
nm-connection-editor and nm-applet use the GTK3 plug-in from this repository. Newer GNOME Control Center versions use the GTK4 plug-in from this repository. Both the GTK3 and GTK4 L2TP plug-ins know about the ipsec-psk-flags option. I'm using GNOME Desktop which uses GNOME Control Center.
Other L2TP plug-ins from elsewhere like the Qt plug-in from plasma-nm don't know about ipsec-psk-flags, so any unknown options get dropped from the config file as soon as you try to establish a VPN connection.
Sorry I have no idea which L2TP plug-in the Linux Mint Cinamon Control Center uses. I would think either the GTK3 or GTK4 plug-in.
I'm also not sure if Linux Mint is like Ubuntu 24.04 which switched to Netplan, NetworkManager connection profiles are now Netplan YAML. But that shouldn't matter.
I think this issue might be fixed now with commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/ee584113d6a67cc475cba834668be5830d6af581
Or at least the behavior of the PSK should now be the same as the L2TP user password.
libnm's enum for the secret flags :
typedef enum {
NM_SETTING_SECRET_FLAG_NONE = 0x00000000,
NM_SETTING_SECRET_FLAG_AGENT_OWNED = 0x00000001,
NM_SETTING_SECRET_FLAG_NOT_SAVED = 0x00000002,
NM_SETTING_SECRET_FLAG_NOT_REQUIRED = 0x00000004
} NMSettingSecretFlags;
When ipsec-psk-flags=0 corresponds to NM_SETTING_SECRET_FLAG_NONE, means the system is responsible for providing and storing this secret. I think the system is things like gnome-control-center, cinnamon-control-center, etc.
When ipsec-psk-flags=1 corresponds to NM_SETTING_SECRET_FLAG_AGENT_OWNED, means a user secret agent is responsible for providing and storing this secret; when it is required agents will be asked to retrieve it.
There was also another commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/b9ba6a69fc4af37511780f7f935c144f2d2b2b9c, to make the l2tp VPN editor plug-in work with cinnamon-control-center.