[strongSwan-dev] nm applet 1.4.5, pre-shared key

Tobias Brunner tobias at strongswan.org
Fri Aug 16 15:43:50 CEST 2019 

Hi Harald,

> hopefully its OK to drop some complaints about the PSK 
> authentication option in the network manager applet (1.4.5)
> here?

Sure, but note that we don't recommend using PSKs for remote access.
Using a server certificate together with EAP is a much safer (and not
much more complex) alternative.  That option only exists in the NM
plugin because of a customer.

> Certificate is (None), but this option is not greyed out for 
> PSK, as one would expect. Do I still have to select a certificate?

You might, if the server is authenticated with a certificate (IKEv2
allows asymmetric authentication).  But be aware that the password hash
is sent before the server certificate is received/verified (compared to
EAP, where the server is validated first, which is, thus, not vulnerable
to active attackers).

> I would guess the "Name" entry is actually the local identifier,
> is it?

Correct.

> The "Password" entry has to be manually set to one of the "Store
> the password" options, which are *extremely* hard to find. Without
> this you simply cannot enter the pre-shared key. This is highly
> frustrating.

It's a standard UI element for password fields provided by libnma.  It
works exactly the same for EAP passwords (it's the same field after
all), which is why the default is probably to prompt the user for it
when the connection is initiated.  The icon/button to change it is right
there in the text field, so I don't see how it is *extremely* hard to find.

> Apparently there seems to be a requirement to enter at least
> 20 chars for the pre-shared key, or you cannot save. Frustrating
> again. Maybe I am too blind to see, but I haven't seen this 
> documented anywhere. Maybe the PSK bubble could say? How is the 
> peer admin supposed to know on defining the PSK?

The tooltip for the password field does mention that limit.  As I said,
we don't think PSK authentication is a good choice for remote access at
all.  At least with the limit strong passwords will be used.  While the
20 character limit is arbitrary, I don't think we are going to lower it.

> See also https://bugs.debian.org/896086

I guess you are free to change/remove the limit downstream if you want
to make your users happy.

Regards,
Tobias

More information about the Dev mailing list