-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Apr 25, 2013 at 12:11:25AM +0200, Péter Sólyom-Nagy wrote:
Please tell me, what happens if I import a PCF file on the Network
I'm not sure we have any specific data on NetworkManager, here. It would be best to
contact the developer and discuss your concerns with them. That said, I'll try to
address some of your concerns below.
My PCF file refers to a Cisco VPN using group password.
- Is the group password accessible during the import (of course it is
otherwise it's useless...)
Yes, it would need to be accessible to the software in order for the circuit to be
- How it is decrpyted?
The password (any password) isn't encrypted but rather obsfucated. I don't know
exactly what the protocol is but it would be whatever Cisco designed.
- Which programs are involved? (Is any of them so called unsafe?)
I believe NetworkManager has a plugin that it uses for VPN connectivity. I'm not
aware of it being "unsafe" but I guess that depends on your definition of
- Where're the passwords stored? (Probably in KWallet)
I'm not sure as they can be stored in several locations depending on how your system
is setup. I believe KWallet is default in KDE but that isn't necessarily where the
information will be stored. You could create a dummy account in your VPN software and go
in search of the credentials in KWallet and see if they are there.
- Are the VPN passwords "clear-text" accessible somewhere?
That would depend on how the password is stored (see above).
I need to prove that using this PCF file is secure on F18 too. The PCF file
is originating from Windows environment. The publishing company uses
official Cisco client.
Well, you can't prove a negative. Is it safer than using the "official"
Cisco client? Probably. It would appear that the official software doesn't have a
perfect track record when it comes to security:
I know that there are tons of sites and apps to decrypt the password, but I
need to prove that the basic Fedora installation is secure.
Secure against what? Yes, Cisco didn't do a great job securing their "group
password" as, like you say, there are many websites out there that can decrypt it for
you. The Fedora software must do the same thing, just as the Cisco software does, to
build the VPN circuit. Again, you won't be able to prove that an installation is
secure but you can look to see if it is secure against listed attacks or whatnot.
Is the NetworkManager implementation of the Cisco VPN client as secure as the Cisco VPN
client? Probably. Is it more secure than the Cisco VPN client? Probably. You can look
at all the code used in Fedora's implementation of the VPN client but you can't do
that for Cisco's client so you don't know what might be hiding in their code.
Hope that helps.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----