Feature Description
Currently when using VPN connections from NetworkManager, from what I've seen secrets are not handled:
- existing secrets are not reused on VPN
- no prompt for new secrets to be stored in the backend
I try to dig a bit deeper on how and why because I've seen there was already a previous related issue: #90
My understanding is that even if the Gnome-Keyring session is properly unlocked and exposed, it's the responsibility of the NetworkManager clients to use the Secret Service DBus API to store and retrieve related secrets.
A client seems to be provided by libsecret, here some Python usage examples.
Note that for VPN, in my case, some require double credentials, first class login/pass, then TOTP. So I think in this case, the simpler is to do the same as GnomeShell implementation, store and use the login/pass, then prompt for TOTP. But, if you manager to allow script for the TOTP prompt, it would as a bonus allow to use password managers like 1password or bitwarden to automatically fill the TOTP with their cli (with fingerprint if supported but I think this is a separate issue).
They can also be retrieved and stored using the secret-tool cli:
secret-tool lookup connection-uuid <uuid> get the passwordsecret-tool search connection-uuid <uuid> get all the fields
Feature Description
Currently when using VPN connections from NetworkManager, from what I've seen secrets are not handled:
I try to dig a bit deeper on how and why because I've seen there was already a previous related issue: #90
My understanding is that even if the Gnome-Keyring session is properly unlocked and exposed, it's the responsibility of the NetworkManager clients to use the Secret Service DBus API to store and retrieve related secrets.
A client seems to be provided by libsecret, here some Python usage examples.
Note that for VPN, in my case, some require double credentials, first class login/pass, then TOTP. So I think in this case, the simpler is to do the same as GnomeShell implementation, store and use the login/pass, then prompt for TOTP. But, if you manager to allow script for the TOTP prompt, it would as a bonus allow to use password managers like 1password or bitwarden to automatically fill the TOTP with their cli (with fingerprint if supported but I think this is a separate issue).
They can also be retrieved and stored using the
secret-toolcli:secret-tool lookup connection-uuid <uuid>get the passwordsecret-tool search connection-uuid <uuid>get all the fields