nm-l2tp
Visible PSK entry in auth-dialog
Should not a PSK entry be hidden and not available for editing in auth-dialog? As I remember, in version 1.2.10 the field was hidden. Are there any reasons for making it visible?
Now, as unprivileged user I can easily steal or change a pre-shared key. Probably it is not recommended regarding to big companies using l2tp plugin.
With NetworkManager-l2tp 1.20.0 and commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/5de6e5d2988fb74fa6570baeadf26de8aa538365 the PSK is stored as a VPN secret (like with the user password). Although backwards compatibility was kept for older config files and other L2TP GUI frontends (i.e. not the GTK 3 & 4 plug-ins and auth dialog box from this repository). Some of the reasons for moving the PSK from a VPN data field to a to a VPN secret were described in issue# https://github.com/nm-l2tp/NetworkManager-l2tp/issues/78
But there were still issues described in https://github.com/nm-l2tp/NetworkManager-l2tp/issues/188, I think those issues were fixed with commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/ee584113d6a67cc475cba834668be5830d6af581 which was introduced with NetworkManager-l2tp 1.20.18.
Prior to NetworkManager-l2tp 1.20.0, an unprivileged user could see the PSK by issuing something like the following to see all of the VPN connection's properties including the PSK:
nmcli conn show id 'My VPN Connection'
The username and PSK dialog box is a NMAVpnPasswordDialog from libnma.
I'm investigating if there is some way to disable the eyeball for viewing the password or PSK with NMAVpnPasswordDialog.
With Ubuntu 24.04 I'm having issues reproducing the issue as an unprivileged user as I'm not able to establish a VPN connection for a shared VPN connection that has the PSK stored for all users, unless I first enter admin credentials to allow a VPN connection. I will try with other Linux distros.
Cheers, Doug
Here is a workaround to get the old behavior with the auth dialog box.
Edit your .nmconnection VPN file, e.g. :
sudo vi /etc/NetworkManager/system-connections/testVPN.nmconnection
Delete any ipsec-psk line under the [vpn-secrets] section.
Under the [vpn] section, add an ipsec-psk line to have the actual PSK and modify the ipsec-psk-flags to be 4, like:
ipsec-psk=psk123
ipsec-psk-flags=4
After you have finished editing that file, issue the following for the change to take effect:
sudo nmcli conn reload
As mentioned previously, non-admin users will still be able to issue following which will show ipsec-psk's value in the [vpn] data section:
nmcli conn show id 'My VPN Connection'
Also, if non-admin users can open the VPN editor plug-in, then they can see the PSK, on some desktop environments, admin credentials are required to get to the VPN editor plug-in.
Hello. Sorry for the late reply. What would you say about this workaround?
--- a/auth-dialog/main.c 2021-10-10 14:17:52.000000000 +0300
+++ b/auth-dialog/main.c 2025-03-07 14:56:51.667928090 +0300
@@ -601,6 +601,7 @@
return EXIT_FAILURE;
}
+ need_psk = !existing_psk && need_psk;
finish_func(vpn_name,
prompt,
allow_interaction,
It makes preshared key dont be shown in case "ipsec-psk" is populated with data in nm-connection-editor.
As I investigated, the value of "ipsec-psk" is passed in secrets considering my edits.
printf("Value = %s\n", secret->value);
g_variant_builder_add (&req_data->secrets_builder, "{ss}",
secret->name,
secret->value);
I will be extremely grateful for your comments
Sorry I haven't had a chance to try the code out yet, maybe will try this weekend.