cvs commit: src/sbin/ifconfig ifconfig.8 ifconfig.c ifconfig.h ifieee80211.c

[Robert Watson]

On Thu, 14 Jul 2005, Sam Leffler wrote:

> As to printing sensitive material I question how important this is.  If 
> it's a wep key it's trivially cracked by other means.  If it's a WPA or 
> 802.1x key then it's rotated frequently and, for WPA at least, protected 
> by addiitonal means that makes grabbing it via screen-scrape much less 
> useful (only the GTK is displayed for WPA, not the PTK which is 
> potentially more sensitive).  If you want to improve the situation for 
> disclosing sensitive info then we should work on adding keychain style 
> storage for sensitive info like static keys and wpa-psk's.
>
> So I guess my argument against this is you're changing long-standing 
> behaviour w/ little benefit.

Sorry about committing it over your objection -- I obviously misremembered 
the degree to which you disagreed with the proposed change.  I'm willing 
to back it out, but not happy about the idea.  Here's my view on things:

Either the key is sensitive, or it's not.  If it's not, then why are we 
checking for root privilege?  If it is, why are we printing it without 
being asked to?

I'm a fan of the model that says ifconfig(8) manages all the properties of 
the network interface.  However, part of ifconfig(8) managing more complex 
properties of those interfaces is that it has to respect the sensitivity 
of the data it handles.  This never came up before for ifconfig(8) because 
we didn't consider any of the data it handled sensitive.  Running 
"ifconfig" or "ifconfig -a" is a fairly common administrator activity to 
check the configuration of the system.  When it comes to people looking 
over your shoulder, scroll-back, /var/log/console.log, or dmesg -a output, 
I would prefer that keying material not appear there unless specifically 
requested.

As to historical behavior -- I've been complaining even since that 
behavior with ifconfig(8) since I first noticed it, as you pointed out. I 
think wicontrol's behavior was improper also, but at least it wasn't 
printed out automatically every time the system booted, or every time I 
check to see if I have an association.

Robert N M Watson