Kicksecure Network Configuration

anontor · March 6, 2020, 10:27pm

Nm likes (for dhcp assignment) to call the /sbin/dhclient/ script. Then, that script runs and in turn tells nm-dhcp-helper which takes over from there. My question is would it be hard to tell dhcpanon to deal with nm directly or would it take the place of dhclient and then communicate with nm-dhcp-helper?

HulaHoop · March 8, 2020, 2:29pm

Does this answer your question?
https://dhcpcanon.readthedocs.io/en/latest/integration.html

madaidan · March 8, 2020, 6:18pm

Preferably, none but this wouldn’t be the most usable. DHCP is unencrypted and unauthenticated, making it vulnerable to MITM attacks. It can also leak certain identifiers like the hostname but dhcpcanon should solve these.

Tails has an issue on using dhcpcanon but it has no activity.

We could maybe create a script to automatically set up a static IP but this would be far more error-prone than DHCP.

Patrick · March 8, 2020, 6:22pm

DHCP is a must. If networking is broken out of the box, users will just give up on Kicksecure.

These are less a concern with Kicksecure Host.
More concern with Whonix Host.

madaidan · March 8, 2020, 6:24pm

It could be optional. During start up, it can ask the user “Do you want to use DHCP (easier, less secure) or a static IP (advanced, more secure)?”.

madaidan · March 8, 2020, 6:29pm

dhcpcanon might not actually be a viable option. The last commit was in 2018 and GitHub - juga0/dhcpcanon: DHCP client disclosing less identifying information. says:

WIP, still not recommended for end users.

An alternative should probably be found. There are some leaks we can fix ourselves e.g. Tails - Design: specification and implementation

Patrick · March 8, 2020, 6:34pm

Not sure that’s doable. Gets a lot more complex. An either DHCP or static wizard implementation would require a script. Generating the configuration files using a script makes the whole thing rather functional. While a DHCP implementation could be purely declarative (only config files).
Related to Focus on low-effort maintainability.

Then also CLI vs XFCE support. Must work in CLI somehow too. Think: server support. Using an ISO to install a server. In that case broken DHCP or any setup questions are even worse.

But it’s rather theoretic as we don’t even have a simple network manager / DHCP implementation yet, nobody yet signing up working on that, and missing other major parts such as kicksecure homepage, forums, iso, etc.

anontor · March 8, 2020, 9:40pm

It definitely does, thank you!
It looks like 2 options: to use the python api for nm and have dhcpanon talk to nm directly, or to have the dhcpanon call nm-dhcp-helper script and communicate with nm via dbus and the helper script.

HulaHoop · March 16, 2020, 2:49pm

Please update me on what you decided so I can apply the changes and put out a new release that works.

Patrick · March 16, 2020, 6:20pm

Still same as Kicksecure Network Configuration - #6 by Patrick

Patches welcome.

That would require a working implementation which doesn’t exist and which don’t look will be existing soonish.

HulaHoop · March 17, 2020, 3:32pm

Alright so I will add dhcpcanon here:

github.com

Kicksecure/kicksecure-network-conf/blob/master/debian/control#L16


      
          Priority: optional
          Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
          Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev
          Homepage: https://github.com/Kicksecure/kicksecure-network-conf
          Vcs-Browser: https://github.com/Kicksecure/kicksecure-network-conf
          Vcs-Git: https://github.com/Kicksecure/kicksecure-network-conf.git
          Standards-Version: 4.6.2
          Rules-Requires-Root: no
          
          Package: kicksecure-network-conf
          Architecture: all
          Depends: network-manager, iw, wpasupplicant, netbase,
           ${misc:Depends}
          Provides: ${diverted-files}
          Conflicts: ${diverted-files}
          Description: Network Configuration for Kicksecure CLI
           Disables systemd Predictable Network Interface Names.
           .
           Disables systemd-resolved during boot unless file /etc/dns-enable exists.
           .
           Disables systemd-resolved fallback DNS (which by default is set to Google).

comment out staitc settings and comment in dynamic address support here:

https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/network/interfaces.d/30_kicksecure

Does that sound good?

I didn’t quite understand how VBox could be affected though since they have a DHCP server. Can you please test if having a dhcp client and enabling interface dhcp support doesn’t break?

Patrick · March 17, 2020, 3:47pm

Is that all that is required to make dhcpcanon work?

This might even work since we had that in Whonix 9 (not sure when we stopped DHCP for Whonix).

https://github.com/Whonix/whonix-gw-network-conf/blob/Whonix9/etc/network/interfaces.whonix

Yes.

I guess could make Kicksecure KVM work and if we’re lucky doesn’t break Kicksecure VirtualBox.
And I guess that also doesn’t block a later complete Kicksecure host network configuration (network manager…).

Works? Doesn’t break DNS either? Tested?

I hope this is going to be easy and not require any changes in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm because then could take time until this is figured out.

HulaHoop · March 17, 2020, 3:49pm

Pretty much

Connections work normally.

Patrick · March 18, 2020, 4:08pm

11 posts were split to a new topic: Selecting Secure Packages from packages.debian.org

Patrick · March 18, 2020, 4:10pm

Split the discussion on the security of dhcpcanon and the more general question of which packages from packages.debian.org are suitable and if it would be possible to have a better policy to a separate forum thread, see:

Merged. Not yet tested.

Patrick · March 19, 2020, 5:21pm

Is this project dead? · Issue #32 · juga0/dhcpcanon · GitHub

Patrick · March 19, 2020, 5:22pm

Anyone up to implement host / network manager / WiFi support too?

HulaHoop · March 21, 2020, 7:00pm

I will take a crack at it though I have no means to test the end result on baremetal so I’ll enlist our onion in shining armor @onion_knight to help us out here. Maybe all we’ll need is a USB WIfi stick to test this in a VM.

I believe all that’s needed is network-manager-gnome for it to work? (I assume we’ll be shipping a kernel with the required wifi modules and firmware included) Just checked and it pulls in wifi related stuff like wpasupplicant.

Patrick · March 21, 2020, 7:02pm

Yes, for now standard Debian kernel.

Dunno. But one thing… Please always assume --no-install-recommends.

sudo apt install --no-install-recommends network-manager-gnome

HulaHoop · March 21, 2020, 7:06pm

with no-install-recommends:

The following NEW packages will be installed:
  libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
  libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
  libgcr-base-3-1 libjansson4 libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
  libnl-route-3-200 libnm0 libnma0 libpcsclite1 libteamdctl0 network-manager
  network-manager-gnome wpasupplicant

Without:
The following NEW packages will be installed:
crda dns-root-data dnsmasq-base gcr gnome-keyring gnome-keyring-pkcs11 iw
libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
libgcr-base-3-1 libgcr-ui-3-1 libjansson4 libjim0.77 libmbim-glib4
libmbim-proxy libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
libnl-route-3-200 libnm0 libnma0 libpam-gnome-keyring libpcap0.8
libpcsclite1 libqmi-glib5 libqmi-proxy libteamdctl0
mobile-broadband-provider-info modemmanager network-manager
network-manager-gnome p11-kit p11-kit-modules pinentry-gnome3 ppp
usb-modeswitch usb-modeswitch-data wireless-regdb wpasupplicant

I think we should be OK. The main wifi barebones stuff is included either way. I don’t if dhcpcanon will run into problems without support from the GUI, though it is started automatically anyway and I’ve never seen any simple users playing with DHCP settings let alone know what it is.