Wicd and hidden password

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Wicd and hidden password

Post#1 by ahz » 26 Jan 2012, 14:22

When I use Wicd to log into a wireless network with PEAP/GTC (other methods should show a similar behaviour) I am asked to enter a user name and a password. As it is no problem to see the username in clear text this should not happen to the password. But at the moment this is the case. It would be nice to have bullets to hide the characters that are typed in. Doing a little research i came to this:

http://www.linuxquestions.org/questions ... ost4052344

I have done what is described in there (and repacked it into module 002-xorg.xzm). But every time I reboot the changes seem to be overwritten. Who knows how to overcome this and have your password hidden when you type it in?

Thanks in advance!

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Wicd and hidden password

Post#2 by Hamza » 26 Jan 2012, 17:16

Hello,

Please give us more information about your system. (Arch, Version,Wicd Version,psinfo,etc..)
NjVFQzY2Rg==

User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Re: Wicd and hidden password

Post#3 by ahz » 27 Jan 2012, 07:28

I use standard wicd 1.7.0 (bzr-r552) that comes with Porteus 1.1. What I found out until now is, that wicd 1.7.1 (r583) has checkboxes included with which one can either display username/password in clear text or as bullets, see here

http://bazaar.launchpad.net/~wicd-devel ... hanges/583

This is done by using a new parameter "protected" in all templates in /etc/wicd/encryption/templates (search for password-protected-showcase.png in this link):

https://bugs.launchpad.net/wicd/+bug/476982

So it looks like that the solution is to replace the current wicd 1.7.0 with 1.7.1 (when I got the version numbering right) for the next Porteus release.

User avatar
wread
Module Guard
Module Guard
Posts: 1069
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v3.2.5-kde5-64 bits
Location: Santo Domingo
Contact:

Re: Wicd and hidden password

Post#4 by wread » 27 Jan 2012, 11:46

are you starting your system "Always Fresh"?
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Re: Wicd and hidden password

Post#5 by ahz » 27 Jan 2012, 13:06

Yes. KDE with "toroot"- but without "changes"-cheatcode (modified the KDE lilo entry to do this automatically). Can you reproduce this behaviour? It seems to be a known issue to all wicd version <= 1.7.0. It should be corrected with wicd-1.7.1 but this version still seems to be beta. I took a look at the Debian experimental branch this morning (they have 1.7.1 in there) and downloaded their packages. But my work is still in progress...

User avatar
brokenman
Site Admin
Site Admin
Posts: 5460
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Wicd and hidden password

Post#6 by brokenman » 28 Jan 2012, 02:09

I can confirm the password is viewable. Worse still it is viewable globally! Wicd is a little lax on security. Even if you decide to hide the password this could still be sniffed through ncurses. Hashing the password would require having to enter a password somewhere along the way in order to decrypt the passphrase. Not undoable but not easy.

Looking at the code given on the page i don't think that is going to do it. It looks to me like the code to create the dots that you see in place of the saved password before you click in the box and can then see the password. Reverting to false would only undo that so the dots would never be visible. I'll try it shortly and report back. Let's hope this is addressed in v2.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Re: Wicd and hidden password

Post#7 by ahz » 28 Jan 2012, 10:43

1.) Imagine the following scenario: You connect your notebook to a beamer and boot your operating OS, e.g Porteus. After you finished your presentation about connecting to the campus network, you want to demonstrate it. Starting Wicd and selecting e.g. PEAP/GTC (because the network requires this authentication method) you can connect to the network with a username and a password. Now one can go until the point where to enter the password. At this point you have to freeze the beamer (or do something similar so that nobody sees what you are typing in). I saw this security hole described as "shoulder viewing" somewhere. All the students in the auditorium can now login but everyone of themcould be a victim of "shoulder viewing". If you checkmark the hide button (as I understood this change in wicd 1.7.1) your password is not readable and this leak is moderated. It is then like the login process on the start screen ofe.g Kubuntu.

2.) Another point is the the usage of pre-shared keys (PSK, eg WPA1,2/PSK). This keys could be rather long and difficult to remember. One way is to store them in wpa_supplicant.conf. Unfortunally this is the only easy way to login to such networks easily (if you do not want to use other programs which do additional encryption like kdewallet).

As we use PEAP/GTC here, login method 2.) is not a problem (but could be if the network admin chooses the "wrong" authentication method).

Thanks to the dev team for the wiilngness to take wicd-1.7.1 in consideration for further Porteus versions.

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Wicd and hidden password

Post#8 by fanthom » 28 Jan 2012, 15:10

@ahz
thanks for highlighting this issue. for sure we are going to use latest wicd version available.

i'm also thinking about switching to network manager which would let to drop python (and deps) from base ISO. NM has also a nice support for mobile broadband devices so we could remove KPPP.
what i dont like about NM is a window asking for a password which shows up at every login. if you wont use kwallet/gnome-keyring then your password is stored as a plain text.
i know that it's an off topic question but please let me know if anybody knows the solution how to keep the passwords encrypted in NM and avoid that annoying window.
Please add [Solved] to your thread title if the solution was found.

User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Re: Wicd and hidden password

Post#9 by ahz » 28 Jan 2012, 19:52

Wicd is really nice looking and easy to handle. But the last days I saw this python dependency too and it is really horrible (btw. when I do "python --version" it reports 2.6.4 but in the filelist for Porteus 1.1 it is said that python 2.6.6 is installed).

The change to networkmanager should be worth a try. I found this one:

http://ubuntuforums.org/showthread.php?t=1028324

And even more offtopic: Can Porteus technically be handled as a "secure operating system" regarding password storage or storage of sensible data? The default username/password combinations speaks against that. For me the advantage of Porteus is, that you can easily create an highly adaptive to-your-needs-OS. This makes it outstanding! I am not in the need to store sensible data and applications should handle such information more secret (in this case Wicd-1.7.0 is not a good choice, possibly wicd 1.7.1 too because of python).

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Wicd and hidden password

Post#10 by fanthom » 29 Jan 2012, 09:34

@ahz
thanks for suggestion.
unfortunately pam is not present in Slackware and i doubt it will ever be. anyway - root and guest passwords are well known (i was trying to force users to change these passwords during boot time but people didn't like this idea) so this authenticate method is a "no go" for us.
when I do "python --version" it reports 2.6.4 but in the filelist for Porteus 1.1 it is said that python 2.6.6 is installed
ekhm... all is fine in 64bits :)
Can Porteus technically be handled as a "secure operating system" regarding password storage or storage of sensible data?
next week i'll try to introduce support for cryptsetup+LUKS for save.dat containers. could do the same for partitions but unfortunately encrypting specific folders wont be possible with this method so let's stick to the containers first.
this will require update to 'porteus save.dat manager' and adding encryption function to it. i'll pass all details to brokenman when i succeed with this.

Cheers
Please add [Solved] to your thread title if the solution was found.

User avatar
ahz
Black ninja
Black ninja
Posts: 42
Joined: 29 Dec 2010, 15:05
Location: Germany

Re: Wicd and hidden password

Post#11 by ahz » 03 Feb 2012, 09:03

I have written a bash script to avoid the password mess with wicd. The idea is to use an existing template and modify it in a way that it perfectly fits your local network setup (another advantage is, that you can save it with a more meaningful name and use this name in wicd automatically). The important part of the script is, that it grabs the password with kdialog and injects it in the new template. Afterwards the user calls wicd and enters its username. Maybe not very smart, but now the password is hidden during input.

Code: Select all

#!/bin/bash

if [ -f /etc/wicd/encryption/templates/peap.bak ];
then
    cp /etc/wicd/encryption/templates/peap.bak /etc/wicd/encryption/templates/peap
else
    cp /etc/wicd/encryption/templates/peap /etc/wicd/encryption/templates/peap.bak
fi

if [ -f /etc/wicd/encryption/templates/active.bak ];
then
    cp /etc/wicd/encryption/templates/active.bak /etc/wicd/encryption/templates/active
else
    cp /etc/wicd/encryption/templates/active /etc/wicd/encryption/templates/active.bak
fi

password=`kdialog --title "My PEAP/GTC-Login" --password "Password:"`

old_IFS=$IFS
IFS=$'\n'
line=($(cat /etc/wicd/encryption/templates/peap))

for ((i = 0; i < ${#line[@]}; i++))
do
    case "${line[$i]}" in
	"name = PEAP with GTC")
	    echo "name = My PEAP with GTC" >>/tmp/peap
	    ;;
	"author = Adam Blackburn")
	    echo "author = My Name" >>/tmp/peap
	    ;;
	"require identity *Identity password *Password")
	    echo "require identity *Identity" >>/tmp/peap
	    ;;
        "	password=\"\$_PASSWORD\"")
	    echo "	"password=\"$password\" >>/tmp/peap
	    ;;
	*)
	    echo ${line[$i]} >>/tmp/peap
	    ;;
    esac    
done

mv /tmp/peap /etc/wicd/encryption/templates/mypeapgtc

IFS=$old_IFS

echo "mypeapgtc" >>/tmp/active
cat /etc/wicd/encryption/templates/active >>/tmp/active
mv /tmp/active /etc/wicd/encryption/templates
Last edited by ahz on 03 Feb 2012, 09:54, edited 1 time in total.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Wicd and hidden password

Post#12 by Hamza » 03 Feb 2012, 09:48

Please use CODE Tag to include a code inside your post.
NjVFQzY2Rg==

User avatar
wread
Module Guard
Module Guard
Posts: 1069
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v3.2.5-kde5-64 bits
Location: Santo Domingo
Contact:

Re: Wicd and hidden password

Post#13 by wread » 03 Feb 2012, 15:38

Alien's Bob proposes to use networkmanagement-0.8 instead of wicd. Why don't we try it? Wicd is from gnome, networkmanagement is from KDE....

Cheers
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

User avatar
brokenman
Site Admin
Site Admin
Posts: 5460
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Wicd and hidden password

Post#14 by brokenman » 03 Feb 2012, 16:10

I think this is also a gnome project.

http://projects.gnome.org/NetworkManager/

I'll try to build it and see what the advantages are.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
wread
Module Guard
Module Guard
Posts: 1069
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v3.2.5-kde5-64 bits
Location: Santo Domingo
Contact:

Re: Wicd and hidden password

Post#15 by wread » 04 Feb 2012, 23:49

@brokenman
gnome project is called Network Manager, KDE's (or alien's BOB) is called networkmanagement...
http://www.mediafire.com/?m0dkfan0ydjqc47

Regards!
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

Post Reply