https://bugs.kde.org/show_bug.cgi?id=494264
Bug ID: 494264
Summary: Auto-connecting Wireguard with encrypted private key
always prompts password on login
Classification: Plasma
Product: plasma-nm
Version: unspecified
Platform: Arch Linux
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: jeffchienm...@gmail.com
Target Milestone: ---
Created attachment 174519
--> https://bugs.kde.org/attachment.cgi?id=174519&action=edit
Password prompt
SUMMARY
Adding an automatically activated Wireguard connection with encrypted private
key stored in Kwallet causes plasma-nm to prompt for password upon login.
STEPS TO REPRODUCE
1. Install/enable NetworkManager, plasma-nm, and KDE Wallet.
2. Set KDE Wallet password to login password to enable automatic unlocking.
3. Add a Wireguard connection in NetworkManager, check "Connect automatically
with priority", and select "Store password for this user only (encrypted)".
4. Reboot (oddly enough logout then relogin doesn't trigger this, maybe because
NetworkManager doesn't trigger automatic connections more than once?).
5. Login.
OBSERVED RESULT
See attached password prompt. No matter how you interact with the prompt,
including entering the private key, the Wireguard connection will not activate
successfully, unlike WiFi connections.
Note that if you select the Wireguard connection in plasma-nm manually after
this, it will correctly connect with the PK stored in KDE Wallet.
EXPECTED RESULT
The Wireguard connection should automatically activate using the PK in KDE
Wallet without user interaction.
SOFTWARE/OS VERSIONS
Linux: ArchLinux 6.11.0-zen1-1-zen
KDE Plasma Version: libplasma 6.1.5-1
KDE Frameworks Version: plasma-workspace 6.1.90-1
Qt Version: qt6-base 6.7.3-2
plasma-nm Version: 6.1.5-1
ADDITIONAL INFORMATION
I dug into the source myself and it seems that the plasma-nm SecretAgent only
returns Wireguard secrets if NetworkManager indicates that the connection
activation was user requested:
https://invent.kde.org/plasma/plasma-nm/-/blob/master/kded/secretagent.cpp?ref_type=heads#L410
For automatic connections, NetworkManager doesn't set that flag bit:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-policy.c#L1502
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-active-connection.c#L608
I'm not quite sure why plasma-nm needs that bit to send secrets. Both NM's
NMSecretAgentSimple and GNOME's network-manager-applet don't use that bit:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/libnmc-base/nm-secret-agent-simple.c
https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/main/src/applet-agent.c
The original userRequested check seems to come from 4ecf6a9, but I can't find
the context for it:
https://invent.kde.org/plasma/plasma-nm/-/commit/4ecf6a9
It's plausible to me that there was an upstream API change in how that bit is
set that caused this misalignment between NM and plasma-nm. In any case, I
patched (isWireGuard && userRequested) to just isWireguard in my local build
and it works to my satisfaction now.
It's possible that the (isVpn && userRequested) check below is causing Bug
385395.
--
You are receiving this mail because:
You are watching all bug changes.
