Does this answer your question?
https://dhcpcanon.readthedocs.io/en/latest/integration.html
Preferably, none but this wouldn’t be the most usable. DHCP is unencrypted and unauthenticated, making it vulnerable to MITM attacks. It can also leak certain identifiers like the hostname but dhcpcanon should solve these.
Tails has an issue on using dhcpcanon but it has no activity.
We could maybe create a script to automatically set up a static IP but this would be far more error-prone than DHCP.
DHCP is a must. If networking is broken out of the box, users will just give up on Kicksecure.
These are less a concern with Kicksecure Host.
More concern with Whonix Host.
It could be optional. During start up, it can ask the user “Do you want to use DHCP (easier, less secure) or a static IP (advanced, more secure)?”.
dhcpcanon might not actually be a viable option. The last commit was in 2018 and GitHub - juga0/dhcpcanon: DHCP client disclosing less identifying information. says:
WIP, still not recommended for end users.
An alternative should probably be found. There are some leaks we can fix ourselves e.g. Tails - Design: specification and implementation
Not sure that’s doable. Gets a lot more complex. An either DHCP or static wizard implementation would require a script. Generating the configuration files using a script makes the whole thing rather functional. While a DHCP implementation could be purely declarative (only config files).
Related to Focus on low-effort maintainability.
Then also CLI vs XFCE support. Must work in CLI somehow too. Think: server support. Using an ISO to install a server. In that case broken DHCP or any setup questions are even worse.
But it’s rather theoretic as we don’t even have a simple network manager / DHCP implementation yet, nobody yet signing up working on that, and missing other major parts such as kicksecure homepage, forums, iso, etc.
It definitely does, thank you!
It looks like 2 options: to use the python api for nm and have dhcpanon talk to nm directly, or to have the dhcpanon call nm-dhcp-helper script and communicate with nm via dbus and the helper script.
Please update me on what you decided so I can apply the changes and put out a new release that works.
Still same as Kicksecure Network Configuration - #6 by Patrick
Patches welcome.
That would require a working implementation which doesn’t exist and which don’t look will be existing soonish.
Alright so I will add dhcpcanon here:
comment out staitc settings and comment in dynamic address support here:
https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/network/interfaces.d/30_kicksecure
Does that sound good?
I didn’t quite understand how VBox could be affected though since they have a DHCP server. Can you please test if having a dhcp client and enabling interface dhcp support doesn’t break?
Is that all that is required to make dhcpcanon work?
This might even work since we had that in Whonix 9 (not sure when we stopped DHCP for Whonix).
https://github.com/Whonix/whonix-gw-network-conf/blob/Whonix9/etc/network/interfaces.whonix
Yes.
- I guess could make Kicksecure KVM work and if we’re lucky doesn’t break Kicksecure VirtualBox.
- And I guess that also doesn’t block a later complete Kicksecure host network configuration (network manager…).
Works? Doesn’t break DNS either? Tested?
I hope this is going to be easy and not require any changes in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm because then could take time until this is figured out.
Pretty much
Connections work normally.
Split the discussion on the security of dhcpcanon and the more general question of which packages from packages.debian.org are suitable and if it would be possible to have a better policy to a separate forum thread, see:
Merged. Not yet tested.
Anyone up to implement host / network manager / WiFi support too?
I will take a crack at it though I have no means to test the end result on baremetal so I’ll enlist our onion in shining armor @onion_knight to help us out here. Maybe all we’ll need is a USB WIfi stick to test this in a VM.
I believe all that’s needed is network-manager-gnome for it to work? (I assume we’ll be shipping a kernel with the required wifi modules and firmware included) Just checked and it pulls in wifi related stuff like wpasupplicant.
Yes, for now standard Debian kernel.
Dunno. But one thing… Please always assume --no-install-recommends
.
sudo apt install --no-install-recommends network-manager-gnome
with no-install-recommends:
The following NEW packages will be installed:
libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
libgcr-base-3-1 libjansson4 libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
libnl-route-3-200 libnm0 libnma0 libpcsclite1 libteamdctl0 network-manager
network-manager-gnome wpasupplicant
Without:
The following NEW packages will be installed:
crda dns-root-data dnsmasq-base gcr gnome-keyring gnome-keyring-pkcs11 iw
libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
libbluetooth3 libdbusmenu-glib4 libdbusmenu-gtk3-4 libgck-1-0
libgcr-base-3-1 libgcr-ui-3-1 libjansson4 libjim0.77 libmbim-glib4
libmbim-proxy libmm-glib0 libndp0 libnl-3-200 libnl-genl-3-200
libnl-route-3-200 libnm0 libnma0 libpam-gnome-keyring libpcap0.8
libpcsclite1 libqmi-glib5 libqmi-proxy libteamdctl0
mobile-broadband-provider-info modemmanager network-manager
network-manager-gnome p11-kit p11-kit-modules pinentry-gnome3 ppp
usb-modeswitch usb-modeswitch-data wireless-regdb wpasupplicant
I think we should be OK. The main wifi barebones stuff is included either way. I don’t if dhcpcanon will run into problems without support from the GUI, though it is started automatically anyway and I’ve never seen any simple users playing with DHCP settings let alone know what it is.
Btw… Generally…
apt-cache show network-manager-gnome
Look for:
Recommends: notification-daemon, gnome-keyring, mobile-broadband-provider-info, iso-codes
and/or Debian -- Details of package network-manager-gnome in buster rec: