Project

General

Profile

Bug #3428

Ubuntu 20.04, NetworkManager, Encrypted (protected) private key

Added by Alex Mfl 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Low
Category:
networkmanager (charon-nm)
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.8.2
Resolution:
Fixed

Description

Hello! I'm not sure whether this is the right place for this request. Anyway, I'm trying to describe the problem in detail.

  • OS: Ubuntu 20.04
  • Installed packages: network-manager-strongswan + dependencies
  • VPN auth mode: Cert+Key

The main problem

The keyfile is encrypted, and NetworkManager asks a password for the keyfile. I suppose the password for keyfile is not used. There are no problems with an unprotected keyfile.

NetworkManager connection config

[connection]
id=vpnconnectionid
uuid=04f56322-d291-4015-9758-6d54960518c3
type=vpn
autoconnect=false
permissions=user:someuser:;

[vpn]
address=somevpnhost
certificate=/home/someuser/vpnkeys/caCert.pem
encap=no
esp=aes128-sha1-modp1536
ike=aes128-sha1-modp1024
ipcomp=yes
method=key
proposal=yes
usercert=/home/someuser/vpnkeys/client-cert.pem
userkey=/home/someuser/vpnkeys/client-key.pem
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns=10.10.10.10;
dns-search=somedomain
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore

[proxy]

Diff between protected and unprotected keyfiles

I think it's obvious, but may be usefull:

  • protected:
  • unprotected:

Logs

Apr 25 21:30:15 vbox-test NetworkManager[537]: <info>  [1587839415.9416] audit: op="connection-activate" uuid="04f56322-d291-4015-9758-6d54960518c3" name="vpnconnectionid" pid=1392 uid=1000 result="success" 
Apr 25 21:30:15 vbox-test NetworkManager[537]: <info>  [1587839415.9465] vpn-connection[0x559339da6750,04f56322-d291-4015-9758-6d54960518c3,"vpnconnectionid",0]: Saw the service appear; activating connection
Apr 25 21:30:15 vbox-test charon-nm: 05[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 6 builders
Apr 25 21:30:17 vbox-test charon-nm: message repeated 2 times: [ 05[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 6 builders]
Apr 25 21:30:17 vbox-test NetworkManager[537]: <error> [1587839417.6588] vpn-connection[0x559339da6750,04f56322-d291-4015-9758-6d54960518c3,"vpnconnectionid",0]: final secrets request failed to provide sufficient secrets

Additional problem with unprotected keyfile

I think this is not strongSwan's problem, but maybe somebody here knows the correct solution. The problem is repeatable avahi-daemon errors:

One of possible workarounds is to disable avahi-daemon service.

Questions

  1. Is it possible to make VPN connection with a protected keyfile? If "yes", then "how"? )
  2. If more information or tests needed, then I'm ready to provide them.

Thank you in advance!

src_20200428-141109.png (70.3 KB) src_20200428-141109.png Alex Mfl, 28.04.2020 13:11

Associated revisions

Revision 532d5fc8 (diff)
Added by Tobias Brunner 3 months ago

nm: Fix password entry for private keys and allow saving it

On newer desktops the auth dialog is called with --external-ui-mode and
it seems that the password flag has to be set, otherwise the password is
not stored temporarily in the profile and passed to charon-nm (not sure
how this works exactly as need_secrets() is called multiple times even
after the password was already entered, only before doing so the last
time is the password available in that callback, but only if the flag
was set). This now also allows storing the password for the private key
with the profile.

Fixes #3428.

Revision d5d83756 (diff)
Added by Tobias Brunner 3 months ago

charon-nm: Clear secrets when disconnecting

The need_secrets() method is called before connect() (where we clear the
previous secrets too), so e.g. a password-protected private could be
decrypted with the cached password from earlier but if the password was not
stored with the connection, it would later fail as no password was requested
from the user that could be passed to connect().

References #3428.

History

#1 Updated by Tobias Brunner 3 months ago

  • Status changed from New to Feedback

I think this is not strongSwan's problem, but maybe somebody here knows the correct solution.

No idea.

Questions

1. Is it possible to make VPN connection with a protected keyfile? If "yes", then "how"? )

It should.

2. If more information or tests needed, then I'm ready to provide them.

Could you please try the current versions of charon-nm and the NM plugin (see 5.8.3 but use 5.8.4).

#2 Updated by Alex Mfl 3 months ago

Tobias Brunner wrote:

Could you please try the current versions of charon-nm and the NM plugin (see 5.8.3 but use 5.8.4).

Thanks for your reply. Yes, I can.

Installation from source

Required packages

apt install gcc make libnm-dev libssl-dev libglib2.0-dev network-manager-dev intltool libgtk-3-dev libsecret-1-dev libnma-dev

strongSwan installation

wget http://download.strongswan.org/strongswan-5.8.4.tar.bz2
tar xjf strongswan-5.8.4.tar.bz2
cd strongswan-5.8.4

./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
   --disable-des --disable-md5 --disable-fips-prf --disable-gmp --enable-openssl \
   --enable-nm --enable-agent --enable-eap-gtc --enable-eap-md5 --enable-eap-identity
   
make
make install

NetworkManager-strongswan

cd
wget http://download.strongswan.org/NetworkManager/NetworkManager-strongswan-1.5.0.tar.bz2
tar xjf NetworkManager-strongswan-1.5.0.tar.bz2
cd NetworkManager-strongswan-1.5.0

./configure --sysconfdir=/etc --prefix=/usr --with-charon=/usr/lib/ipsec/charon-nm --without-libnm-glib

make
make install

Tests

Connection config

[connection]
id=vpnconnectionid
uuid=da5217f7-41a3-4e20-a5bd-520afe76c09e
type=vpn
autoconnect=false
permissions=user:someuser:;

[vpn]
address=somevpnhost
cert-source=file
certificate=/home/someuser/vpnkeys/caCert.pem
encap=no
esp=aes128-sha1-modp1536
ike=aes128-sha1-modp1024
ipcomp=yes
method=cert
proposal=yes
usercert=/home/someuser/vpnkeys/client-cert.pem
userkey=/home/someuser/vpnkeys/client-key.pem
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns=10.10.10.10;
dns-search=somedomain
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=ignore

[proxy]

Protected keyfile. Same errors.

Logs:

Apr 28 13:43:16 vbox-test NetworkManager[98300]: <info>  [1588070596.0773] audit: op="connection-activate" uuid="da5217f7-41a3-4e20-a5bd-520afe76c09e" name="vpnconnectionid" pid=1405 uid=1000 result="success" 
Apr 28 13:43:16 vbox-test NetworkManager[98300]: <info>  [1588070596.1010] vpn-connection[0x562ca12c4330,da5217f7-41a3-4e20-a5bd-520afe76c09e,"vpnconnectionid",0]: Started the VPN service, PID 103389
Apr 28 13:43:16 vbox-test charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.8.4)
Apr 28 13:43:16 vbox-test kernel: [ 5695.398172] Initializing XFRM netlink socket
Apr 28 13:43:16 vbox-test NetworkManager[98300]: <info>  [1588070596.1811] vpn-connection[0x562ca12c4330,da5217f7-41a3-4e20-a5bd-520afe76c09e,"vpnconnectionid",0]: Saw the service appear; activating connection
Apr 28 13:43:16 vbox-test charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm aes rc2 sha2 sha1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl curve25519 agent xcbc cmac hmac drbg kernel-netlink socket-default eap-identity eap-md5 eap-gtc
Apr 28 13:43:16 vbox-test charon-nm: 00[JOB] spawning 16 worker threads
Apr 28 13:43:16 vbox-test charon-nm: 05[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 6 builders
Apr 28 13:43:19 vbox-test charon-nm: message repeated 2 times: [ 05[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 6 builders]
Apr 28 13:43:19 vbox-test NetworkManager[98300]: <error> [1588070599.9164] vpn-connection[0x562ca12c4330,da5217f7-41a3-4e20-a5bd-520afe76c09e,"vpnconnectionid",0]: final secrets request failed to provide sufficient secrets
Apr 28 13:43:19 vbox-test NetworkManager[98300]: <info>  [1588070599.9277] vpn-connection[0x562ca12c4330,da5217f7-41a3-4e20-a5bd-520afe76c09e,"vpnconnectionid",0]: VPN plugin: state changed: stopped (6)

Unprotected keyfile. No problems (except fetching crl.der and avahi-daemon)

Prepare keyfile:

openssl rsa -in client-key.pem -out client-key.pem

Logs:


Any ideas?

#3 Updated by Tobias Brunner 3 months ago

Sorry, I can't reproduce this. Maybe the password you entered is simply wrong, or the encrypted key file is invalid somehow. Did you uninstall all strongSwan packages before installing from source?

There will always be one such error message when the plugin determines if it requires a password, but if the password is provided and correct, there shouldn't be any more afterwards. I guess it's also possible that it's a problem with newer versions of NM (the final secrets request failed to provide sufficient secrets message sounds suspicious), I'll have to try on Ubuntu 20.04 some time.

#4 Updated by Alex Mfl 3 months ago

Tobias Brunner wrote:

Sorry, I can't reproduce this. Maybe the password you entered is simply wrong

The password is 100% correct (copy+paste). I've used the same password to decrypt keyfile by command:

openssl rsa -in client-key.pem -out client-key.pem

or the encrypted key file is invalid somehow.

I thought about it, and I tried to decrypt/encrypt keyfile with same password.

Did you uninstall all strongSwan packages before installing from source?

Yes, I did. I restored the test VM from snapshot with clean Ubuntu 20.04 (no strongSwan installed). After that I installed strongSwan + NetworkManager-strongswan from source with above mentioned commands.

There will always be one such error message when the plugin determines if it requires a password, but if the password is provided and correct, there shouldn't be any more afterwards. I guess it's also possible that it's a problem with newer versions of NM (the final secrets request failed to provide sufficient secrets message sounds suspicious), I'll have to try on Ubuntu 20.04 some time.

Thank you. I'll try to do without a protected keyfile for now.

#5 Updated by Alex Mfl 3 months ago

Additional debug information

I enabled tracing for NetworkManager:

nmcli general logging level TRACE

and I tried to establish vpn connection:

I think interesting here is:

...
Apr 28 17:45:43 vbox-test NetworkManager[534]: <debug> [1588085143.1783] agent-manager: agent[d797243476a38cb4,:1.82/org.gnome.Shell.NetworkAgent/1000]: agent returned no secrets for request [6c2b2ba12295b99b/"vpnconnectionid"/"vpn"]
Apr 28 17:45:43 vbox-test NetworkManager[534]: <debug> [1588085143.1783] settings-connection[645641685f016c99,da5217f7-41a3-4e20-a5bd-520afe76c09e]: (vpn:0x7ff37c014a30) secrets request error: No agents were available for this request.
Apr 28 17:45:43 vbox-test NetworkManager[534]: <debug> [1588085143.1786] vpn-connection[0x55c1ed4c2790,da5217f7-41a3-4e20-a5bd-520afe76c09e,"vpnconnectionid",0]: asking service if additional secrets are required
Apr 28 17:45:43 vbox-test charon-nm: 05[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 6 builders
...

Establishing vpn connection from console

Hmm. It's works o_O

$ nmcli --ask connection up vpnconnectionid
Private key decryption password required to establish VPN connection 'vpnconnectionid'.
Password: (vpn.secrets.password): ••••••••••••
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

It looks like GUI problem only.

#6 Updated by Tobias Brunner 3 months ago

OK, I was able to reproduce this on Ubuntu 20.04. It seems that if NM (or whoever) calls the auth dialog with --external-ui-mode (not the case on older versions) it somehow does not make the password available to the VPN plugin afterwards if the password flags are not set beforehand, so that's different from older NM versions. How this works exactly I don't really understand, the need_secrets() method is called several times even after the password was requested but we can't retrieve the password there. So maybe there is something else missing.

Anyway, I pushed a possible fix to the 3428-nm-cert-pw branch (you need to edit the profile so the password flag is set).

#7 Updated by Alex Mfl 3 months ago

Tobias Brunner wrote:

OK, I was able to reproduce this on Ubuntu 20.04. It seems that if NM (or whoever) calls the auth dialog with --external-ui-mode (not the case on older versions) it somehow does not make the password available to the VPN plugin afterwards if the password flags are not set beforehand, so that's different from older NM versions. How this works exactly I don't really understand, the need_secrets() method is called several times even after the password was requested but we can't retrieve the password there. So maybe there is something else missing.

Anyway, I pushed a possible fix to the 3428-nm-cert-pw branch (you need to edit the profile so the password flag is set).

Thank you! I'll try to check it in the next couple of days.

#8 Updated by Alex Mfl 3 months ago

3428-nm-cert-pw branch

I have tested version from the new branch. Nothing changed. Build commands (for history):

apt install git autogen autoconf libtool gperf bison flex gcc make libnm-dev libssl-dev libglib2.0-dev network-manager-dev intltool libgtk-3-dev libsecret-1-dev libnma-dev libcurl4-openssl-dev
git clone https://github.com/strongswan/strongswan
cd strongswan
git checkout 3428-nm-cert-pw
./autogen.sh
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --enable-curl \
   --disable-des --disable-md5 --disable-fips-prf --disable-gmp --enable-openssl \
   --enable-nm --enable-agent --enable-eap-gtc --enable-eap-md5 --enable-eap-identity
make
make install

password-flags option

But password-flags in NetworkManager connection config works! I have tested:

It works like expected and needed: asks password, but doesn't save it.

NetworkManager connection config:

What next

The password-flags workaround it is enough for me. But it would be nice add a checkbox/menu/or_something_else into NetworkManager plugin for connection config generation with a password-flags option.

I think the issue is solved. Thank you!

#9 Updated by Tobias Brunner 3 months ago

Build commands (for history):

But incomplete. That doesn't build/install the new version of the NM plugin (in source:src/frontends/gnome), only the D-Bus service (charon-nm), which hasn't changed in that branch (I did push a commit now, though, that fixes an issue when reconnecting with a password-protected private key while charon-nm is still running).

But it would be nice add a checkbox/menu/or_something_else into NetworkManager plugin for connection config generation with a password-flags option.

There is, it's built into the password field. With the changes to the plugin in the mentioned branch, just open the connection in the editor and save it again, the password flag should be set.

#10 Updated by Alex Mfl 3 months ago

Tobias Brunner wrote:

But incomplete. That doesn't build/install the new version of the NM plugin (in source:src/frontends/gnome), only the D-Bus service (charon-nm), which hasn't changed in that branch (I did push a commit now, though, that fixes an issue when reconnecting with a password-protected private key while charon-nm is still running).

Yes, looks like I missed it.

Cloned git repo state (for proof)

root@vbox-test:~/strongswan# git branch
* 3428-nm-cert-pw
  master

root@vbox-test:~/strongswan# git rev-parse HEAD
20264da08de4e2cc0853ff8c3c0d3dfc9607195d

root@vbox-test:~/strongswan# git pull
Already up to date.

Full rebuild

make clean
./autogen.sh
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --enable-curl \
   --disable-des --disable-md5 --disable-fips-prf --disable-gmp --enable-openssl \
   --enable-nm --enable-agent --enable-eap-gtc --enable-eap-md5 --enable-eap-identity
make
make install

cd src/frontends/gnome
apt install gnome-common
./autogen.sh --without-libnm-glib
./configure --sysconfdir=/etc --prefix=/usr --with-charon=/usr/lib/ipsec/charon-nm --without-libnm-glib
make
make install
rm /etc/NetworkManager/system-connections/*
reboot  # not necessary. I think systemctl restart NetworkManager is enough too.

Test

  1. New connection added (without edits by hands in /etc/NetworkManager/system-connections)
  2. Established VPN connection (password asked, but didn't save in /etc/NetworkManager/system-connections)

The password-flags=2 option exists in generated connection config file. So It works perfectly well! Thank you.

#11 Updated by Tobias Brunner 3 months ago

  • Tracker changed from Issue to Bug
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.9.0
  • Resolution set to Fixed

Thanks for testing. I've released a new version of the NM plugin (1.5.1) that includes the GUI fix. The fix for charon-nm will be included in version:5.8.5.

Also available in: Atom PDF