Porteus

When I use Wicd to log into a wireless network with PEAP/GTC (other methods should show a similar behaviour) I am asked to enter a user name and a password. As it is no problem to see the username in clear text this should not happen to the password. But at the moment this is the case. It would be nice to have bullets to hide the characters that are typed in. Doing a little research i came to this:

http://www.linuxquestions.org/questions ... ost4052344

I have done what is described in there (and repacked it into module 002-xorg.xzm). But every time I reboot the changes seem to be overwritten. Who knows how to overcome this and have your password hidden when you type it in?

Thanks in advance!

Hello,

Please give us more information about your system. (Arch, Version,Wicd Version,psinfo,etc..)

I use standard wicd 1.7.0 (bzr-r552) that comes with Porteus 1.1. What I found out until now is, that wicd 1.7.1 (r583) has checkboxes included with which one can either display username/password in clear text or as bullets, see here

http://bazaar.launchpad.net/~wicd-devel ... hanges/583

This is done by using a new parameter "protected" in all templates in /etc/wicd/encryption/templates (search for password-protected-showcase.png in this link):

https://bugs.launchpad.net/wicd/+bug/476982

So it looks like that the solution is to replace the current wicd 1.7.0 with 1.7.1 (when I got the version numbering right) for the next Porteus release.

are you starting your system "Always Fresh"?

Yes. KDE with "toroot"- but without "changes"-cheatcode (modified the KDE lilo entry to do this automatically). Can you reproduce this behaviour? It seems to be a known issue to all wicd version <= 1.7.0. It should be corrected with wicd-1.7.1 but this version still seems to be beta. I took a look at the Debian experimental branch this morning (they have 1.7.1 in there) and downloaded their packages. But my work is still in progress...

I can confirm the password is viewable. Worse still it is viewable globally! Wicd is a little lax on security. Even if you decide to hide the password this could still be sniffed through ncurses. Hashing the password would require having to enter a password somewhere along the way in order to decrypt the passphrase. Not undoable but not easy.

Looking at the code given on the page i don't think that is going to do it. It looks to me like the code to create the dots that you see in place of the saved password before you click in the box and can then see the password. Reverting to false would only undo that so the dots would never be visible. I'll try it shortly and report back. Let's hope this is addressed in v2.

1.) Imagine the following scenario: You connect your notebook to a beamer and boot your operating OS, e.g Porteus. After you finished your presentation about connecting to the campus network, you want to demonstrate it. Starting Wicd and selecting e.g. PEAP/GTC (because the network requires this authentication method) you can connect to the network with a username and a password. Now one can go until the point where to enter the password. At this point you have to freeze the beamer (or do something similar so that nobody sees what you are typing in). I saw this security hole described as "shoulder viewing" somewhere. All the students in the auditorium can now login but everyone of themcould be a victim of "shoulder viewing". If you checkmark the hide button (as I understood this change in wicd 1.7.1) your password is not readable and this leak is moderated. It is then like the login process on the start screen ofe.g Kubuntu.

2.) Another point is the the usage of pre-shared keys (PSK, eg WPA1,2/PSK). This keys could be rather long and difficult to remember. One way is to store them in wpa_supplicant.conf. Unfortunally this is the only easy way to login to such networks easily (if you do not want to use other programs which do additional encryption like kdewallet).

As we use PEAP/GTC here, login method 2.) is not a problem (but could be if the network admin chooses the "wrong" authentication method).

Thanks to the dev team for the wiilngness to take wicd-1.7.1 in consideration for further Porteus versions.

@ahz
thanks for highlighting this issue. for sure we are going to use latest wicd version available.

i'm also thinking about switching to network manager which would let to drop python (and deps) from base ISO. NM has also a nice support for mobile broadband devices so we could remove KPPP.
what i dont like about NM is a window asking for a password which shows up at every login. if you wont use kwallet/gnome-keyring then your password is stored as a plain text.
i know that it's an off topic question but please let me know if anybody knows the solution how to keep the passwords encrypted in NM and avoid that annoying window.

Wicd is really nice looking and easy to handle. But the last days I saw this python dependency too and it is really horrible (btw. when I do "python --version" it reports 2.6.4 but in the filelist for Porteus 1.1 it is said that python 2.6.6 is installed).

The change to networkmanager should be worth a try. I found this one:

http://ubuntuforums.org/showthread.php?t=1028324

And even more offtopic: Can Porteus technically be handled as a "secure operating system" regarding password storage or storage of sensible data? The default username/password combinations speaks against that. For me the advantage of Porteus is, that you can easily create an highly adaptive to-your-needs-OS. This makes it outstanding! I am not in the need to store sensible data and applications should handle such information more secret (in this case Wicd-1.7.0 is not a good choice, possibly wicd 1.7.1 too because of python).

@ahz
thanks for suggestion.
unfortunately pam is not present in Slackware and i doubt it will ever be. anyway - root and guest passwords are well known (i was trying to force users to change these passwords during boot time but people didn't like this idea) so this authenticate method is a "no go" for us.

when I do "python --version" it reports 2.6.4 but in the filelist for Porteus 1.1 it is said that python 2.6.6 is installed

ekhm... all is fine in 64bits

Can Porteus technically be handled as a "secure operating system" regarding password storage or storage of sensible data?

next week i'll try to introduce support for cryptsetup+LUKS for save.dat containers. could do the same for partitions but unfortunately encrypting specific folders wont be possible with this method so let's stick to the containers first.
this will require update to 'porteus save.dat manager' and adding encryption function to it. i'll pass all details to brokenman when i succeed with this.

Cheers

I have written a bash script to avoid the password mess with wicd. The idea is to use an existing template and modify it in a way that it perfectly fits your local network setup (another advantage is, that you can save it with a more meaningful name and use this name in wicd automatically). The important part of the script is, that it grabs the password with kdialog and injects it in the new template. Afterwards the user calls wicd and enters its username. Maybe not very smart, but now the password is hidden during input.

Please use CODE Tag to include a code inside your post.

Alien's Bob proposes to use networkmanagement-0.8 instead of wicd. Why don't we try it? Wicd is from gnome, networkmanagement is from KDE....

Cheers

I think this is also a gnome project.

http://projects.gnome.org/NetworkManager/

I'll try to build it and see what the advantages are.

@brokenman
gnome project is called Network Manager, KDE's (or alien's BOB) is called networkmanagement...
http://www.mediafire.com/?m0dkfan0ydjqc47

Regards!