Debian WIFI password display

Status
Not open for further replies.
C

compis2

Guest
I am using Debian 12 with XFCE and the Network manager applet 1.20.0 displays the full WIFI password if requested without asking for a root password. This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?

debian wifi displayed.png
 


f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,640
Reaction score
5,072
Credits
48,771

Attachments

  • Screenshot from 2023-11-29 18-40-04.png
    Screenshot from 2023-11-29 18-40-04.png
    148 KB · Views: 62
Last edited:

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,205
Reaction score
9,721
Credits
92,979
Anyone with physical access to the device can take ownership of the device.

There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended. If you're worried about someone doing this on your computer, you should take steps to avoid it.

You can easily read the wireless passwords in the terminal with a privileged account:


Again, anyone with physical access is able to take ownership of the device. This is the basic premise for an 'evil maid' attack.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,640
Reaction score
5,072
Credits
48,771
There are ways to hinder them, such as full disk encryption, strong passwords, and never leaving a logged-in account unattended.
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,205
Reaction score
9,721
Credits
92,979
You can also use gnome-keyring and kde-wallet to encrypt your wifi passwords(and other passwords), that way they won't even show up in plaintext on the filesystem.

I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,640
Reaction score
5,072
Credits
48,771
I could be mistaken, but my understanding was that the plain text existed in the file (from the article) even with keyrings enabled. That's what I dimly recall from when I was writing the article but didn't actually test that. I'm sure I'd have not tested that.
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.
Screenshot from 2023-11-29 19-39-06.png
 

Attachments

  • Screenshot from 2023-11-29 19-39-50.png
    Screenshot from 2023-11-29 19-39-50.png
    208.6 KB · Views: 68

dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
2,221
Reaction score
1,861
Credits
16,648
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,205
Reaction score
9,721
Credits
92,979
I tested it myself, one screenshot where I haven't added the wifi password to the gnome-keyring and the other where I have and both screenshots contain the output of the wireless connection.

Sweet! It says Flags=1 instead. I'm not sure what I expected it to say, but it wasn't that. I guess I expected it to be encrypted. (Thanks for testing that. I should probably add that to the article at some point. There are a few articles that I should update.)
 

gvisoc

Well-Known Member
Joined
May 29, 2020
Messages
562
Reaction score
680
Credits
5,578
This is a problem if a unattened workstation is left unlocked.

Can this issue be prevented ?

Yes, of course, in several ways
  1. Educate your users to lock the PC.
  2. Educate your users to lock the PC.
  3. And my personal favourite: educate your users to lock the PC.
If there's a data leak, the wifi password is the least of your problems.
 
OP
C

compis2

Guest
The other way I have gotten around this, is to use nmcli from the command ine as root.
Make the wifi-connection in nmcli as root, you will have to type the password out in clear text
when you make the connection, but no one else can see roots history. Or you can delete the
history if you want to. I've never tried running "history" with sudo, but I suppose it's possible
a sudo user could see roots history.

But usually I don't have any sudo users. You either know the root password or you don't.
Changing nmcli to root is the closest answer. But nmcli has network information configuration, I do not think it holds or controls the WIFI password.
The idea is when you show password for WIFI a root password must be entered. This exists for Mac and Windows
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
9,770
Reaction score
8,632
Credits
43,749

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,640
Reaction score
5,072
Credits
48,771
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
 
OP
C

compis2

Guest
You could probably get it done with a custom polkit rule but you would have to figure out which "action.id" you would need.
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems. If I look at user account on Debian if i try to add or change a user it requires root access. Accessing the WIFI password or any system password should only be allowed if you are root.
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
9,770
Reaction score
8,632
Credits
43,749
Take it up with the Devs, we are not the Devs.

Just in case of any misapprehension on your part, we are not an official arm nor organ of Linux, just scored the dot org name - we are manned by volunteer staff who share a love of Linux and have varying skills in various departments.

Wizard
 

dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
2,221
Reaction score
1,861
Credits
16,648
I think this is a security oversight with Debian based systems. This prevents Debian systems from being used as KIOSK type systems or shared computer systems.

Maybe, but the sword cuts both ways. If Linux did lock down these things, then no one could ever join a Wifi-network except
root. There are ways in Linux to make it a true Kiosk client application and lock down everything else. But then typically
you get one application, and one application only. This isn't just a Debian thing, but pretty much all Linux distro's do this.
Also keep in mind, it is possible to disable sudo, so that only root can do these things.
 
OP
C

compis2

Guest
This is a security ommision. If windows and Mac secure there WIFI password there is no reason Linux should not do the same. I have made a post with Gnome regarding the issue,
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
9,770
Reaction score
8,632
Credits
43,749
I have made a post with Gnome regarding the issue,

That's fine, so there is no need for further discussion here until you get a response from them.

Locking this thread, for now.

The OP can converse with me to get it reopened.

In the meantime, thanks as always to all Helpers.

Chris Turner
wizardfromoz
 
Status
Not open for further replies.


Latest posts

Top