[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey
|
From: |
Maxime Devos |
|
Subject: |
[bug#55055] [PATCH] gnu: wireguard: Add support for PresharedKey |
|
Date: |
Thu, 21 Apr 2022 16:25:53 +0200 |
|
User-agent: |
Evolution 3.38.3-1 |
Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
> + (preshared-key wireguard-peer-preshared-key
> + (default #f)) ;string
This should be documented in the documentation, otherwise it will be
difficult to discover. Also, #f is not a string, did you mean
‘;#f|string’?
Also, a limitation: the preshared key will end up in the store, and
hence be world-readable. So other users on the same system (other
people or compromised system daemons) could now determine the preshared
key.
Questions:
* Could the security limitation be documented?
* What security impact does a leaked secret key have?
* Does wireguard has some inclusion mechanism, such that the
wireguard configuration can ‘include’ some file outside the store?
* WDYT of verifying that the preshared key looks ‘reasonable’
(I guess only a-z0-9 characters, no spaces or newlines, not a
bytevector ...)
As-is, if I do (preshared-keys (string->utf8 "oops I thought this
needs to be bytevector)) then "guix system reconfigure" doesn't
give a nice error message, it will just silently produce a broken
configuration file.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part