[strongSwan-dev] nm applet 1.4.5, pre-shared key

[Harald Dunkel]

Hi Tobias,

On 8/16/19 3:43 PM, Tobias Brunner wrote:
> Hi Harald,
> 
>> hopefully its OK to drop some complaints about the PSK
>> authentication option in the network manager applet (1.4.5)
>> here?
> 
> Sure, but note that we don't recommend using PSKs for remote access.
> Using a server certificate together with EAP is a much safer (and not
> much more complex) alternative.  That option only exists in the NM
> plugin because of a customer.
> 

I am not using PSKs for road warriors, either, but I am pretty sure
that there is a "grey area" here.

>> Certificate is (None), but this option is not greyed out for
>> PSK, as one would expect. Do I still have to select a certificate?
> 
> You might, if the server is authenticated with a certificate (IKEv2
> allows asymmetric authentication).  But be aware that the password hash
> is sent before the server certificate is received/verified (compared to
> EAP, where the server is validated first, which is, thus, not vulnerable
> to active attackers).
> 
>> I would guess the "Name" entry is actually the local identifier,
>> is it?
> 
> Correct.
> 

Do you think it would be possible to dynamically change the input
form, depending upon whether its x509, PSK, smartcard or eap? The
current static design is the confusing part.

>> The "Password" entry has to be manually set to one of the "Store
>> the password" options, which are *extremely* hard to find. Without
>> this you simply cannot enter the pre-shared key. This is highly
>> frustrating.
> 
> It's a standard UI element for password fields provided by libnma.  It
> works exactly the same for EAP passwords (it's the same field after
> all), which is why the default is probably to prompt the user for it
> when the connection is initiated.  The icon/button to change it is right
> there in the text field, so I don't see how it is *extremely* hard to find.
> 

Maybe its just me (I am no GUI user), but its quite confusing to
first select "PSK" on top, and then you cannot enter the PSK (even
though its not greyed out). Without recognizing the tiny question mark
icon in the password box the GUI appears to be broken.

>> Apparently there seems to be a requirement to enter at least
>> 20 chars for the pre-shared key, or you cannot save. Frustrating
>> again. Maybe I am too blind to see, but I haven't seen this
>> documented anywhere. Maybe the PSK bubble could say? How is the
>> peer admin supposed to know on defining the PSK?
> 
> The tooltip for the password field does mention that limit.  As I said,
> we don't think PSK authentication is a good choice for remote access at
> all.  At least with the limit strong passwords will be used.  While the
> 20 character limit is arbitrary, I don't think we are going to lower it.
> 

I am not asking you to lower it. But the admin managing the PSKs
on his high-end VPN gateway on the peer doesn't know about this
restriction in strongswan. How would you like to address this?

Surely I understand that PSKs should be avoided in favor of server
certificate and EAP, but its hard for me to close a valid Debian bug
report about n-m-s, telling the user to drop PSKs and to try EAP
instead. Maybe it would help to officially set the PSK feature in
n-m-s to "deprecated"?


Regards
Harri