Hello,
Sorry in advance, this is a complicated one !
I am trying to authenticate workstations (running Alma Linux 8) on my network using 802.1x and EAP-TLS (with both a client cert and a private key installed on each workstations).
My problem is, I do not want the users to be able to see their machine's private key password - however, by opening the settings GUI for my connection, any user on the machine could go to the "802.1x" tab and see the machine's private key's password in cleartext.
I could protect the certificate and private key files, as well as the /etc/sysconfig/network-scripts/ifcfg-xxxxx connection settings files, using simple UNIX permissions - however, I could never find a way to hide the private key's password when using the connection's settings GUI.
I tried using the "connection.permissions" settings, first with only 'user:root', then also with 'user:root,user:dbus' ; It did the trick, as the connection's settings GUI are made invisible to non-privileged users, however, the 'autoconnect' procedure won't be able to use my connection anymore - it will still start when doing 'nmcli connection up MyConnection', but not at boot nor when unplugging-then-plugging-again the RJ45 cable. Adding 'user:<the-user-running-the-session>' to 'connection.permissions' fixes the 'autoconnect' problem, but the user will then be able to see the connection's private key password...
I couldn't manage to understand how 'autoconnect' works, but it seems that, even though the "NetworkManager" and "wpa_supplicant" processes are running as root, some other processes required for it to work belong to the user running the gnome session - maybe the "dbus-daemon" processes - which makes the connection with restricted permissions unaccessible for the autoconnect procedure.
Would you know if what I'm trying to achieve is possible ?
Is there a way to restrict "connection.permissions" without making the connection unable to connect automatically ? Otherwise, is there another way to protect the machin's private key's password from the users and still storing it permanently on the workstation ?
Would you know where I can find a very complete documentation on how 'autoconnect' works, or at least tell me which processes are involved ?
Thank you in advance, have a nice week-end !
Sorry in advance, this is a complicated one !
I am trying to authenticate workstations (running Alma Linux 8) on my network using 802.1x and EAP-TLS (with both a client cert and a private key installed on each workstations).
My problem is, I do not want the users to be able to see their machine's private key password - however, by opening the settings GUI for my connection, any user on the machine could go to the "802.1x" tab and see the machine's private key's password in cleartext.
I could protect the certificate and private key files, as well as the /etc/sysconfig/network-scripts/ifcfg-xxxxx connection settings files, using simple UNIX permissions - however, I could never find a way to hide the private key's password when using the connection's settings GUI.
I tried using the "connection.permissions" settings, first with only 'user:root', then also with 'user:root,user:dbus' ; It did the trick, as the connection's settings GUI are made invisible to non-privileged users, however, the 'autoconnect' procedure won't be able to use my connection anymore - it will still start when doing 'nmcli connection up MyConnection', but not at boot nor when unplugging-then-plugging-again the RJ45 cable. Adding 'user:<the-user-running-the-session>' to 'connection.permissions' fixes the 'autoconnect' problem, but the user will then be able to see the connection's private key password...
I couldn't manage to understand how 'autoconnect' works, but it seems that, even though the "NetworkManager" and "wpa_supplicant" processes are running as root, some other processes required for it to work belong to the user running the gnome session - maybe the "dbus-daemon" processes - which makes the connection with restricted permissions unaccessible for the autoconnect procedure.
Would you know if what I'm trying to achieve is possible ?
Is there a way to restrict "connection.permissions" without making the connection unable to connect automatically ? Otherwise, is there another way to protect the machin's private key's password from the users and still storing it permanently on the workstation ?
Would you know where I can find a very complete documentation on how 'autoconnect' works, or at least tell me which processes are involved ?
Thank you in advance, have a nice week-end !