Kicksecure Network Configuration

Patrick · March 4, 2020, 11:15am

anontor via Whonix Forum:

If you are going with Network manager,

Does your suggested config work in both, CLI and GUI?

If you are going with Network manager, these are usually the relevant networking files for config and such: the /etc/NetworkManager directory which has /NetworkManager.conf.

A drop-in .d folder that could be used here too?

Patrick · March 4, 2020, 11:30am

Also any idea how to best integrate with DNSCrypt?
(Use DNSCrypt by default in Kicksecure? (not Whonix!))

Kicksecure DNS should be functional without DNSCrypt.

But then if a DNSCrypt-enable package gets installed, it should drop the required config files to make enable DNSCrypt.

Enabling DNSCrypt is currently part of package kicksecure-network-conf.

Can you make head or tail of this package?

And do you think you could implement these improved networking configuration?

HulaHoop · March 4, 2020, 4:32pm

Using a client written in memory safe python is best. There was a whole debacle a few years ago where an obscure bash feature these clients relied on allowed remote code execution on a machine.

I’d rather we stayed away from systemd resolution and handled it differently but thanks for the informative post otherwise.

HulaHoop · March 4, 2020, 4:36pm

@anontor or me?

Patrick · March 4, 2020, 4:39pm

@anontor, was hoping @anontor could move that package forward.

Making head or tail of that package though would be useful if as many developers as possible could.

anontor · March 4, 2020, 10:20pm

@Patrick,
Hi, yes it does work as cli; there is a set of commands that comes with the nm package called “nmcli” You would go to terminal and type nmcli connection show to see everything configured, uuid, name, etc. You can edit, remove, or create a new connection. The style is similar to: nmcli connection add [COMMON_OPTIONS] [TYPE_SPECIFIC] [OPTIONS] [IP_OPTIONS]. I must say I was very surprised my self b/c after using nm for years, I really had no idea how functional it can be from commandline.
With regard to the drop in file, NM has a conf.d folder built in the /etc/NetworkManager directory. Right now, I put a small file in there that says to turn power-management off for example. Also a dispatcher.d folder where you can specify pre-up, pre-down info. I have not needed to experiment much with specialized configs, but I know you can write scripts in bash and place then in either conf.d or dispatcher.d according to what you needed to do.
Importantly, this is something that I have on a separate distro, not Kicksecure, but nm can of course be downloaded and used on Debian with no difficulty. It works quite well with Gnome. Setting it up with the gui is really a breeze.
I will admit I have literally zero experience with dns-crypt, so am not too sure about how to set it up. But, the kicksecure networking that you linked on github would probably be able to put its config files in the main /etc/NetworkManager folder. They supply a default folder for dnsmasq that lives there, so why not dns-crypt? It would probably just be a matter of letting nm know that dns-crypt controls the dns now.
@HulaHoop, I agree with you sir; I too wish to avoid involving systemd in networking. Fortunately, both systemd-networkd and systemd-resolved can easily be first disabled and then masked.
I would be happy to offer any guidance or help on setting up nm if needed

anontor · March 4, 2020, 10:37pm

Python would be great; I remember the incident you’re referring to. That’s the whole thing with the command injection vuln where a dhcp response was faked and the result was gained root privelege, or overflows and other manner of havoc.

onion_knight · March 6, 2020, 4:56pm

Just my two cents here: on Debian, a “vanilla” XFCE4 install comes with network-manager package, which also provides for DHCP. According to

https://wiki.archlinux.org/index.php/NetworkManager

“By default NetworkManager uses its internal DHCP client. The internal DHCPv4 plugin is based on the nettools’ n-dhcp4 library, while the internal
DHCPv6 plugin is made from code based on systemd-networkd.”

Question: is an additional package for DHCP really needed here?

HulaHoop · March 6, 2020, 7:42pm

For the security and privacy advantage is really the only reason. I read network-manager compatibility support for dhcpcanon has graduated from experimental before Buster was frozen.

anontor · March 6, 2020, 10:27pm

Nm likes (for dhcp assignment) to call the /sbin/dhclient/ script. Then, that script runs and in turn tells nm-dhcp-helper which takes over from there. My question is would it be hard to tell dhcpanon to deal with nm directly or would it take the place of dhclient and then communicate with nm-dhcp-helper?

HulaHoop · March 8, 2020, 2:29pm

Does this answer your question?
https://dhcpcanon.readthedocs.io/en/latest/integration.html

madaidan · March 8, 2020, 6:18pm

Preferably, none but this wouldn’t be the most usable. DHCP is unencrypted and unauthenticated, making it vulnerable to MITM attacks. It can also leak certain identifiers like the hostname but dhcpcanon should solve these.

Tails has an issue on using dhcpcanon but it has no activity.

We could maybe create a script to automatically set up a static IP but this would be far more error-prone than DHCP.

Patrick · March 8, 2020, 6:22pm

DHCP is a must. If networking is broken out of the box, users will just give up on Kicksecure.

These are less a concern with Kicksecure Host.
More concern with Whonix Host.

madaidan · March 8, 2020, 6:24pm

It could be optional. During start up, it can ask the user “Do you want to use DHCP (easier, less secure) or a static IP (advanced, more secure)?”.

madaidan · March 8, 2020, 6:29pm

dhcpcanon might not actually be a viable option. The last commit was in 2018 and GitHub - juga0/dhcpcanon: DHCP client disclosing less identifying information. says:

WIP, still not recommended for end users.

An alternative should probably be found. There are some leaks we can fix ourselves e.g. Tails - Design: specification and implementation

Patrick · March 8, 2020, 6:34pm

Not sure that’s doable. Gets a lot more complex. An either DHCP or static wizard implementation would require a script. Generating the configuration files using a script makes the whole thing rather functional. While a DHCP implementation could be purely declarative (only config files).
Related to Focus on low-effort maintainability.

Then also CLI vs XFCE support. Must work in CLI somehow too. Think: server support. Using an ISO to install a server. In that case broken DHCP or any setup questions are even worse.

But it’s rather theoretic as we don’t even have a simple network manager / DHCP implementation yet, nobody yet signing up working on that, and missing other major parts such as kicksecure homepage, forums, iso, etc.

anontor · March 8, 2020, 9:40pm

It definitely does, thank you!
It looks like 2 options: to use the python api for nm and have dhcpanon talk to nm directly, or to have the dhcpanon call nm-dhcp-helper script and communicate with nm via dbus and the helper script.

HulaHoop · March 16, 2020, 2:49pm

Please update me on what you decided so I can apply the changes and put out a new release that works.

Patrick · March 16, 2020, 6:20pm

Still same as Kicksecure Network Configuration - #6 by Patrick

Patches welcome.

That would require a working implementation which doesn’t exist and which don’t look will be existing soonish.

HulaHoop · March 17, 2020, 3:32pm

Alright so I will add dhcpcanon here:

github.com

Kicksecure/kicksecure-network-conf/blob/master/debian/control#L16


      
          Priority: optional
          Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
          Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev
          Homepage: https://github.com/Kicksecure/kicksecure-network-conf
          Vcs-Browser: https://github.com/Kicksecure/kicksecure-network-conf
          Vcs-Git: https://github.com/Kicksecure/kicksecure-network-conf.git
          Standards-Version: 4.6.2
          Rules-Requires-Root: no
          
          Package: kicksecure-network-conf
          Architecture: all
          Depends: network-manager, iw, wpasupplicant, netbase,
           ${misc:Depends}
          Provides: ${diverted-files}
          Conflicts: ${diverted-files}
          Description: Network Configuration for Kicksecure CLI
           Disables systemd Predictable Network Interface Names.
           .
           Disables systemd-resolved during boot unless file /etc/dns-enable exists.
           .
           Disables systemd-resolved fallback DNS (which by default is set to Google).

comment out staitc settings and comment in dynamic address support here:

https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/network/interfaces.d/30_kicksecure

Does that sound good?

I didn’t quite understand how VBox could be affected though since they have a DHCP server. Can you please test if having a dhcp client and enabling interface dhcp support doesn’t break?