FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-06-2008, 02:49 PM
Leo Cacciari
 
Default Wireless Network Key

Il giorno mer, 06/08/2008 alle 10.06 -0400, Mark Haney ha scritto:
> Greg Lindstrom wrote:
> > Is there a way for me to enter my wireless network key so that I do
> > not need to enter it each time I connect? I'm running version 8.04.
> >
> > Thanks!
> > --greg
> >
>
> Bash is your friend. Just write a small shell script that includes the
> key. I do that for most of my wireless connections.
>
> But be warned, that's a potential security risk, so lock that script
> down tight.
>
>
This is excessively bad advice, and you even tell why it is bad. This is
done already by the gnome network manager. If n-m is installed and it
does not work, then it is another problem, but normally in ubuntu
wireless network works like that out of the box.

By the way, your is bad advice even if the OP has not n-m installed and
does not wish to install it, as then standard scripts like if-up
*already* have a much more secure (well, less insecure at least) way to
do that by writing the key in the
/etc/network/interfaces file


Enjoy
--
Leo Cacciari
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 03:10 PM
"Mark Haney"
 
Default Wireless Network Key

Leo Cacciari wrote:

>>
> This is excessively bad advice, and you even tell why it is bad. This is
> done already by the gnome network manager. If n-m is installed and it
> does not work, then it is another problem, but normally in ubuntu
> wireless network works like that out of the box.
>
> By the way, your is bad advice even if the OP has not n-m installed and
> does not wish to install it, as then standard scripts like if-up
> *already* have a much more secure (well, less insecure at least) way to
> do that by writing the key in the
> /etc/network/interfaces file
>
>
> Enjoy
>

<soapbox>

I totally disagree. You really think having the key in
/etc/network/interfaces is any safer? Or having it in NM is safer?
You're out of your mind. Anyone who gets root access can dig it up and
steal it from anywhere those files are stored.

I never said anything other than a shell script CAN be used. I also
warn that it's a security risk and to lock it down tight. Do you really
think I don't know that? I deal with network security on a daily
basis. I have 100K users on our network that I have to keep safe.

The point is (and MY point is) this method is possible, but NOT
encouraged. He doesn't want to have to enter the key every time.
Entering the key every time IS the preferred and secure method of doing
this.

It's sort of like not wanting to key in a password everytime and setting
autologin. That's just as insecure (from a network security standpoint)
and scripting the wireless key.

I don't see the advice is /bad/, so much as it isn't recommend and it
does include the disclaimer that it's not recommended. It's up to the
OP to determine if that is an acceptable risk. It is not for me to
decide that and withold my information because I think it's a bad idea.

Now, had I simply said 'sure throw it in a shell script' and NOT warned
the OP of the security risk, then you have every right to point that
out. However, I believe in offering all alternatives ALONG with any
potential hazards therein.

So, flame all you want. I stand by my post in that it gives the OP him
an alternative and a caveat to that so he can make up his own mind.
He's not a child (AFAIK) and can use that if he wishes. It's not up to
YOU to determine what's bad advice.

</soapbox>

--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 03:32 PM
Leo Cacciari
 
Default Wireless Network Key

Il giorno mer, 06/08/2008 alle 11.10 -0400, Mark Haney ha scritto:
> Leo Cacciari wrote:
>
> >>
> > This is excessively bad advice, and you even tell why it is bad. This is
> > done already by the gnome network manager. If n-m is installed and it
> > does not work, then it is another problem, but normally in ubuntu
> > wireless network works like that out of the box.
> >
> > By the way, your is bad advice even if the OP has not n-m installed and
> > does not wish to install it, as then standard scripts like if-up
> > *already* have a much more secure (well, less insecure at least) way to
> > do that by writing the key in the
> > /etc/network/interfaces file
> >
> >
> > Enjoy
> >
>
> <soapbox>
>
> I totally disagree. You really think having the key in
> /etc/network/interfaces is any safer? Or having it in NM is safer?
> You're out of your mind. Anyone who gets root access can dig it up and
> steal it from anywhere those files are stored.
>

Of course, but if someone stoles the hard disk, then changing the
wireless key (if they haven't stolen the AP too) seems standard
procedure, like if someone stoles your key-ring with your home key,
you'll change the lock, wouldn't you?

The true problem is if someone gets access to the account. If it only
get access to the user account, he/she would be able to read the key
contained in the shell script, thus leading to the security problem you
pointed out with your tip, but he/she would not be able to
read /etc/network/interfaces and the file where n-m stores the keys is
encrypted, thus accessing it without the user master key is useless.

If the intruder gains root access, then the password stored
in /etc/network/interface is obviously accessible, but the one stored in
the n-m file would still not be, unless he has access to the user master
key.

> I never said anything other than a shell script CAN be used. I also
> warn that it's a security risk and to lock it down tight. Do you really
> think I don't know that? I deal with network security on a daily
> basis. I have 100K users on our network that I have to keep safe.
>
> The point is (and MY point is) this method is possible, but NOT
> encouraged. He doesn't want to have to enter the key every time.
> Entering the key every time IS the preferred and secure method of doing
> this.

> It's sort of like not wanting to key in a password everytime and setting
> autologin. That's just as insecure (from a network security standpoint)
> and scripting the wireless key.
>
True, but who told you or the OP not to use a master password? None of
my keyrings is unblocked at login.

> I don't see the advice is /bad/, so much as it isn't recommend and it
> does include the disclaimer that it's not recommended. It's up to the
> OP to determine if that is an acceptable risk. It is not for me to
> decide that and withold my information because I think it's a bad idea.

> Now, had I simply said 'sure throw it in a shell script' and NOT warned
> the OP of the security risk, then you have every right to point that
> out. However, I believe in offering all alternatives ALONG with any
> potential hazards therein.
>
> So, flame all you want. I stand by my post in that it gives the OP him
> an alternative and a caveat to that so he can make up his own mind.
> He's not a child (AFAIK) and can use that if he wishes. It's not up to
> YOU to determine what's bad advice.

I'm not flaming, but, as you said....
> Libenter homines id quod volunt credunt -- Caius Julius Caesar

Vale

--
Leo Cacciari
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 03:43 PM
"Mark Haney"
 
Default Wireless Network Key

Leo Cacciari wrote:

>
> Of course, but if someone stoles the hard disk, then changing the
> wireless key (if they haven't stolen the AP too) seems standard
> procedure, like if someone stoles your key-ring with your home key,
> you'll change the lock, wouldn't you?
>
> The true problem is if someone gets access to the account. If it only
> get access to the user account, he/she would be able to read the key
> contained in the shell script, thus leading to the security problem you
> pointed out with your tip, but he/she would not be able to
> read /etc/network/interfaces and the file where n-m stores the keys is
> encrypted, thus accessing it without the user master key is useless.
>
> If the intruder gains root access, then the password stored
> in /etc/network/interface is obviously accessible, but the one stored in
> the n-m file would still not be, unless he has access to the user master
> key.

Sure those keys are encrypted, and exactly how long do you think it
would take to crack that encrypted file? Not long. The point is, if
the system is compromised with that user account, it being Ubuntu, they
can SUDO into root and get the keys. That's my point. It doesn't
matter in this case. Access to a regular user account in Ubuntu gets
you root access much easier than if it's say Gentoo, or Fedora where
sudo isn't always configured for a particular user.

So, your point about the keys being safer in n-m is just as useless as
mine is from that perspective.



--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 04:25 PM
Mario Vukelic
 
Default Wireless Network Key

On Wed, 2008-08-06 at 11:43 -0400, Mark Haney wrote:
> So, your point about the keys being safer in n-m is just as useless as
> mine is from that perspective.

Whatever the case here, the correct advice would have been to make
network-manager work, not dicking around with bash scripts


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 04:35 PM
"Mark Haney"
 
Default Wireless Network Key

Mario Vukelic wrote:
> On Wed, 2008-08-06 at 11:43 -0400, Mark Haney wrote:
>> So, your point about the keys being safer in n-m is just as useless as
>> mine is from that perspective.
>
> Whatever the case here, the correct advice would have been to make
> network-manager work, not dicking around with bash scripts
>
>

Good luck with that. In every case, and in 4 different distros, NM just
sucks. Period.



--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 05:00 PM
Smoot Carl-Mitchell
 
Default Wireless Network Key

On Wed, 2008-08-06 at 11:43 -0400, Mark Haney wrote:

> Sure those keys are encrypted, and exactly how long do you think it
> would take to crack that encrypted file? Not long. The point is, if
> the system is compromised with that user account, it being Ubuntu, they
> can SUDO into root and get the keys. That's my point. It doesn't
> matter in this case. Access to a regular user account in Ubuntu gets
> you root access much easier than if it's say Gentoo, or Fedora where
> sudo isn't always configured for a particular user.
>
> So, your point about the keys being safer in n-m is just as useless as
> mine is from that perspective.

If you use a hard to crack master key phrase, it would be extremely
difficult to get access to the encrypted keys. Root access does not get
you access to the keys in a user's keyring. You need to know the
passphrase. Normally, this looks like it is the user's login password,
but it can be changed, so you are prompted to unlock the keyring when
applications ask for access.
--
Smoot Carl-Mitchell
System/Network Architect
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 05:03 PM
Smoot Carl-Mitchell
 
Default Wireless Network Key

On Wed, 2008-08-06 at 12:35 -0400, Mark Haney wrote:
> Mario Vukelic wrote:
> > On Wed, 2008-08-06 at 11:43 -0400, Mark Haney wrote:
> >> So, your point about the keys being safer in n-m is just as useless as
> >> mine is from that perspective.
> >
> > Whatever the case here, the correct advice would have been to make
> > network-manager work, not dicking around with bash scripts
> >
> >
>
> Good luck with that. In every case, and in 4 different distros, NM just
> sucks. Period.

Interesting. What have you experienced? NM worked perfectly out of the
box on my Lenovo T61.
--
Smoot Carl-Mitchell
System/Network Architect
smoot@tic.com
+1 480 922 7313
cell: +1 602 421 9005

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 05:12 PM
Derek Broughton
 
Default Wireless Network Key

Mark Haney wrote:

> Leo Cacciari wrote:
>
>> This is excessively bad advice, and you even tell why it is bad. This is
>> done already by the gnome network manager. If n-m is installed and it
>> does not work, then it is another problem, but normally in ubuntu
>> wireless network works like that out of the box.
>>
>> By the way, your is bad advice even if the OP has not n-m installed and
>> does not wish to install it, as then standard scripts like if-up
>> *already* have a much more secure (well, less insecure at least) way to
>> do that by writing the key in the
>> /etc/network/interfaces file

> <soapbox>
>
> I totally disagree. You really think having the key in
> /etc/network/interfaces is any safer? Or having it in NM is safer?
> You're out of your mind. Anyone who gets root access can dig it up and
> steal it from anywhere those files are stored.

Actually, having it in NM should be safer (than scripting it - but not safer
than entering it each time) - I believe it's kept in an encrypted store.
But I agree /etc/network/interfaces is certainly not more secure. I can
think of any number of reasons why I'd rather use either method than
writing a shell script, but security isn't one of them :-)

> The point is (and MY point is) this method is possible, but NOT
> encouraged. He doesn't want to have to enter the key every time.
> Entering the key every time IS the preferred and secure method of doing
> this.

For which you can certainly use NM under KDE so I would have thought also
under Gnome. aiui, the passphrase is stored in KWallet, and (depending on
configuration) you need one password to open the wallet and then any
application can access it without further passwords.
--
derek


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-06-2008, 05:20 PM
"Mark Haney"
 
Default Wireless Network Key

Smoot Carl-Mitchell wrote:
> On Wed, 2008-08-06 at 12:35 -0400, Mark Haney wrote:
>> Mario Vukelic wrote:
>>> On Wed, 2008-08-06 at 11:43 -0400, Mark Haney wrote:
>>>> So, your point about the keys being safer in n-m is just as useless as
>>>> mine is from that perspective.
>>> Whatever the case here, the correct advice would have been to make
>>> network-manager work, not dicking around with bash scripts
>>>
>>>
>> Good luck with that. In every case, and in 4 different distros, NM just
>> sucks. Period.
>
> Interesting. What have you experienced? NM worked perfectly out of the
> box on my Lenovo T61.


I've had my connections not come up, I've had NM crash repeatedly. I've
had connections not go down.

Personally, NM is still half-baked, IMHO. It's great in theory. But,
like pulse-audio, not so good in practice yet.

I've given up on using NM, but that's less because of my problems as it
is I'm migrating to KDE 4 on all my desktops and the KDE NM app I've
found works pretty well. Still prefer CLI for my wireless though.
Guess I'm too old school.



--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 06:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org