Remember the Users
RSS imageAbout About Me

The ongoing challenge of using free/libre software.

Securing NetworkManager

Laptop security is different from a stationary desktop system. Laptops have a higher potential for loss or theft and thereafter become a security breach.

I use my laptop for work related tasks. I configured an encrypted virtual machine (VM) to protect that environment.

When away from the home network security becomes a concern. NetworkManager defaults to providing users convenience. In my specific use case, that means passwords and keys are saved after the first time of being requested.

Not good. Anybody taking possession of the laptop would have access to those network connections.

Although my work-related VM is encrypted and requires a password, I use the laptop sometimes at work. Often in that environment I connect to my home VPN. I do not want that password stored. Likewise, I do not want the work related wireless password being stored. I want to be asked every time. Inconvenient and requires a little memory muscle but is more secure.

A challenge with NetworkManager, much like a lot of free/libre software, is no direct GUI controls are provided to tweak the program to not save passwords. At least none that I notice in the version 1.2.2 that I am using.

Another challenge with NetworkManager is when I am away from the home LAN I do not want DHCP servers or NetworkManager presuming what DNS servers to use. I use an aggressive blocking strategy using dnsmasq. I have my laptop configured to use my local server when at home. When away from the LAN I launch dnsmasq locally on the laptop and use the same strategy. The challenge is ensuring NetworkManager does not conflict or override.

Surfing the web and reading the nm-settings man page provides the necessary clues.

NetworkManager uses something called secret flag types. In my specific use case I want to use flag 2, which means not saved.

For normal wireless connections the respective directive is:

    psk-flags=2

For a VPN:

    password-flags=2

This option means every time I use those connections I have to type the password.

Preventing NetworkManager from overriding DNS servers is another manual addition to each respective connection profile.

    dns=127.0.0.1;
    ignore-auto-dns=true

I use dnsmasq, which when launched locally resides at the localhost IP address of 127.0.0.1. I use the same dnsmasq.conf that I use on the LAN server. This allows me to use the DNS servers I want.

Posted: November 05, 2017 Category: Tutorial, Usability Tagged: General

Next: Screen Blanking Nonsense

Previous: Odd Kerning Glitch with LibreOffice Calc

No cookies, no JavaScript, no Flash, no ads, no tracking. Just a blog.

Remember the Users
RSS imageAbout About Me