Option to not store password

[dagrha]

Right now the password to connect to the PIA VPN is stored in the configuration files. Even though the file is pretty well protected since it is only readable by root, this is not ideal in terms of security. At the very least I'd like to add the option to not store the password, which would require entering your password every time a VPN connection is initiated.

Ideally we'd use Keyring or Wallet to handle passwords, but since this script aims to be cross-platform with minimal dependencies, that approach would be tricky.

[nextbeat82]

Is it possible to use this option:

auth-users-pass .secrets

Then create a text file in the same directory called .secrets and in it place username and password on the first and second lines respectively. Protect this information from other users on your system:

chmod 600 .secrets

Ukd posted this information in https://www.privateinternetaccess.com/forum/discussion/20798/command-line-start-at-boot-linux-vpn

[dagrha]

Thanks for the comment, nextbeat82.

There are two issues here. First is that those instructions are for openvpn configuation files, whereas pypia configures NetworkManager configuration files. I am not sure if NM supports storing auth details in a separate file-- I will have to look into it.

The second issue though is whether this is any more secure. It's still a plaintext file sitting on your filesystem with the same permissions as the NetworkManager configuration files.

If the NetworkManager config files do support storing auth details in a separate file, maybe one approach would be to store the auth details in an encrypted file which would be decrypted on boot, prior to NetworkManager initiating.

[nextbeat82]

Sorry still a beginner with some of this stuff. I didn't understand at first that the .ovpn files were different than the profiles that were created for NetworkManager. According to the nm-settings-keyfile description page, "...private keys and passphrases may be stored in plaintext inside the file". Before that it mentioned that "..files that are readable or writable by any user or group other than 'root'" are ignored for security reasons. Looks like storing creds in a separate file is possibile. Haven't looked into having a system query encrypted files yet.

[dagrha]

Thanks for the info, nextbeat82. After reading that nice link you sent, I am now under the impression that nm does not allow the option to store credentials in a file outside of the keyfile. There are several secrets-flag options, but none seems to allow storing credentials in an external file:

0 - (NM owned) - the system is responsible for providing and storing this secret.

1 - (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.

2 - (not-saved) - this secret should not be saved but should be requested from the user each time it is required.

4 - (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be requested from the user.

Currently pypia uses the 0 flag, so nm provides and stores the secrets in the keyfiles in /etc/NetworkManager/system-connections/ directory. I am guessing that using Keyring or Wallet is possible, given a 1 flag. A 2 flag would ask for credentials each time. 4 is not an option here.

[d4rkcat]

Hi @dagrha ,
Nice script, I also just protect the credentials with chmod 400. You can also add auth-nocache to the ovpn config to prevent openvpn from storing creds in memory.
It's a classic tossup between convenience and security, but my thinking is if you have a user with root access to your box then you are completely compromised no matter what. Entering the password every time just seems like too much hassle to me.

[dagrha]

thanks d4rkcat, I like your pia shell script, too. You have some nice options there, for example the firewall and port stuff.

I have poked around a little bit in documentation for the networkmanager keyfiles (i.e. the confs in /etc/NetworkManager/system-connections/) and I have yet to come across any flags for not caching credentials in memory. It does appear that, as you say, the ovpn files do allow that. I may have to migrate to ovpn files rather than NM keyfiles in the future to add more functionality.

I tend to agree with you about the convenience vs security stuff.