[strongSwan-dev] nm applet 1.4.5, pre-shared key
Tobias Brunner
tobias at strongswan.org
Fri Aug 30 10:07:48 CEST 2019
Hi Harald,
> Do you think it would be possible to dynamically change the input
> form, depending upon whether its x509, PSK, smartcard or eap? The
> current static design is the confusing part.
I guess so. If somebody wants to do it, patches are welcome.
> I am not asking you to lower it. But the admin managing the PSKs
> on his high-end VPN gateway on the peer doesn't know about this
> restriction in strongswan. How would you like to address this?
That strong secrets are enforced is already mentioned on the NM wiki
page [1]. I guess we could add the actual minimum length. Or what did
you have in mind?
> Surely I understand that PSKs should be avoided in favor of server
> certificate and EAP, but its hard for me to close a valid Debian bug
> report about n-m-s, telling the user to drop PSKs and to try EAP
> instead. Maybe it would help to officially set the PSK feature in
> n-m-s to "deprecated"?
I've no problem with that. Something like adding "(deprecated)" to the
"Pre-shared key" entry of the authentication method drop-down field?
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
More information about the Dev
mailing list