NM.Setting8021x¶
- Subclasses:
None
Methods¶
- Inherited:
- Structs:
class |
|
class |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual Methods¶
- Inherited:
Properties¶
- Inherited:
Name |
Type |
Flags |
Short Description |
|---|---|---|---|
[ |
r/w |
||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
[ |
r/w |
||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
[ |
r/w |
||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|
||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|||
r/w/en |
|
||
r/w/en |
Signals¶
- Inherited:
Fields¶
- Inherited:
Class Details¶
- class NM.Setting8021x(**kwargs)¶
- Bases:
- Abstract:
No
- Structure:
IEEE 802.1x Authentication Settings
- classmethod check_cert_scheme(pdata, length)¶
- Parameters:
- Raises:
- Returns:
the scheme of the blob or
NM.Setting8021xCKScheme.UNKNOWN. ForNoneit also returnsNM.Setting8021xCKScheme.UNKNOWN.- Return type:
Determines and verifies the blob type. When setting certificate properties of
NM.Setting8021xthe blob must be not UNKNOWN (orNone).New in version 1.2.
- classmethod new()¶
- Returns:
the new empty
NM.Setting8021xobject- Return type:
Creates a new
NM.Setting8021xobject with default values.
- add_altsubject_match(altsubject_match)¶
- Parameters:
altsubject_match (
str) – the altSubjectName to allow for this connection- Returns:
Trueif the alternative subject name match was successfully added,Falseif it was already allowed.- Return type:
Adds an allowed alternate subject name match. Until at least one match is added, the altSubjectName of the remote authentication server is not verified.
- add_eap_method(eap)¶
- Parameters:
eap (
str) – the name of the EAP method to allow for this connection- Returns:
Trueif the EAP method was successfully added,Falseif it was not a valid method or if it was already allowed.- Return type:
Adds an allowed EAP method. The setting is not valid until at least one EAP method has been added. See
NM.Setting8021x:eapproperty for a list of allowed EAP methods.
- add_phase2_altsubject_match(phase2_altsubject_match)¶
- Parameters:
phase2_altsubject_match (
str) – the “phase 2” altSubjectName to allow for this connection- Returns:
Trueif the “phase 2” alternative subject name match was successfully added,Falseif it was already allowed.- Return type:
Adds an allowed alternate subject name match for “phase 2”. Until at least one match is added, the altSubjectName of the “phase 2” remote authentication server is not verified.
- clear_altsubject_matches()¶
Clears all altSubjectName matches.
- clear_eap_methods()¶
Clears all allowed EAP methods.
- clear_phase2_altsubject_matches()¶
Clears all “phase 2” altSubjectName matches.
- get_altsubject_match(i)¶
- Parameters:
i (
int) – the zero-based index of the array of altSubjectName matches- Returns:
the altSubjectName match at index i
- Return type:
Returns the altSubjectName match at index i.
- get_anonymous_identity()¶
- Returns:
the anonymous identifier
- Return type:
Returns the anonymous identifier used by some EAP methods (like TTLS) to authenticate the user in the outer unencrypted “phase 1” authentication. The inner “phase 2” authentication will use the
NM.Setting8021x:identityin a secure form, if applicable for that EAP method.
- get_auth_timeout()¶
- Returns:
the configured authentication timeout in seconds. Zero means the global default value.
- Return type:
Returns the value contained in the
NM.Setting8021x:auth-timeoutproperty.New in version 1.8.
- get_ca_cert_blob()¶
- Returns:
the CA certificate data
- Return type:
Returns the CA certificate blob if the CA certificate is stored using the
NM.Setting8021xCKScheme.BLOBscheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
- get_ca_cert_password()¶
- Returns:
the password used to access the CA certificate stored in
NM.Setting8021x:ca-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.- Return type:
New in version 1.8.
- get_ca_cert_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:ca-cert-password- Return type:
New in version 1.8.
- get_ca_cert_path()¶
- Returns:
path to the CA certificate file
- Return type:
Returns the CA certificate path if the CA certificate is stored using the
NM.Setting8021xCKScheme.PATHscheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
- get_ca_cert_scheme()¶
- Returns:
scheme used to store the CA certificate (blob or path)
- Return type:
Returns the scheme used to store the CA certificate. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_ca_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_ca_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_ca_cert_uri().
- get_ca_cert_uri()¶
- Returns:
the URI string
- Return type:
Returns the CA certificate URI analogously to
NM.Setting8021x.get_ca_cert_blob() andNM.Setting8021x.get_ca_cert_path().Currently, it’s limited to PKCS#11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_ca_path()¶
- Returns:
the CA certificate directory path
- Return type:
Returns the path of the CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the
NM.Setting8021x:ca-certproperty to add more CA certificates for verifying the network to client.
- get_client_cert_blob()¶
- Returns:
the client certificate data
- Return type:
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_client_cert_password()¶
- Returns:
the password used to access the client certificate stored in
NM.Setting8021x:client-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.- Return type:
New in version 1.8.
- get_client_cert_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:client-cert-password- Return type:
New in version 1.8.
- get_client_cert_path()¶
- Returns:
path to the client certificate file
- Return type:
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_client_cert_scheme()¶
- Returns:
scheme used to store the client certificate (blob or path)
- Return type:
Returns the scheme used to store the client certificate. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_client_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_client_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_client_cert_uri().
- get_client_cert_uri()¶
- Returns:
the URI string
- Return type:
Returns the client certificate URI analogously to
NM.Setting8021x.get_client_cert_blob() andNM.Setting8021x.get_client_cert_path().Currently, it’s limited to PKCS#11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_domain_match()¶
- Returns:
the
NM.Setting8021x:domain-matchproperty.- Return type:
New in version 1.24.
- get_domain_suffix_match()¶
- Returns:
the
NM.Setting8021x:domain-suffix-matchproperty.- Return type:
New in version 1.2.
- get_eap_method(i)¶
- Parameters:
i (
int) – the index of the EAP method name to return- Returns:
the name of the allowed EAP method at index i
- Return type:
Returns the name of the allowed EAP method at index i.
- get_identity()¶
- Returns:
the user identifier
- Return type:
Returns the identifier used by some EAP methods (like TLS) to authenticate the user. Often this is a username or login name.
- get_num_altsubject_matches()¶
- Returns:
the number of altsubject-matches entries.
- Return type:
Returns the number of entries in the
NM.Setting8021x:altsubject-matchesproperty of this setting.
- get_num_eap_methods()¶
- Returns:
the number of allowed EAP methods
- Return type:
Returns the number of eap methods allowed for use when connecting to the network. Generally only one EAP method is used. Use the functions
NM.Setting8021x.get_eap_method(),NM.Setting8021x.add_eap_method(), andNM.Setting8021x.remove_eap_method() for adding, removing, and retrieving allowed EAP methods.
- get_num_phase2_altsubject_matches()¶
- Returns:
the number of phase2-altsubject-matches entries.
- Return type:
Returns the number of entries in the
NM.Setting8021x:phase2-altsubject-matchesproperty of this setting.
- get_openssl_ciphers()¶
- Returns:
cipher string for tls setup in wpa_supplicant.
- Return type:
Returns the openssl_ciphers configuration for wpa_supplicant.
New in version 1.48.
- get_optional()¶
- Returns:
Trueif the activation should proceed even when the 802.1X authentication fails;Falseotherwise- Return type:
Returns the value contained in the
NM.Setting8021x:optionalproperty.New in version 1.22.
- get_pac_file()¶
- Returns:
the PAC file
- Return type:
Returns the file containing PAC credentials used by EAP-FAST method.
- get_password()¶
- Returns:
the password used by the authentication method, if any, as specified by the
NM.Setting8021x:passwordproperty- Return type:
- get_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:password- Return type:
- get_password_raw()¶
- Returns:
the password used by the authentication method as a UTF-8-encoded array of bytes, as specified by the
NM.Setting8021x:password-rawproperty- Return type:
- get_password_raw_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:password-raw- Return type:
- get_phase1_auth_flags()¶
- Returns:
the authentication flags for “phase 1”.
- Return type:
New in version 1.8.
- get_phase1_fast_provisioning()¶
- Returns:
whether “phase 1” PEAP fast provisioning should be used, as specified by the
NM.Setting8021x:phase1-fast-provisioningproperty. See the wpa_supplicant documentation for more details.- Return type:
- get_phase1_peaplabel()¶
- Returns:
whether the “phase 1” PEAP label is new-style or old-style, to be used when authenticating with EAP-PEAP, as contained in the
NM.Setting8021x:phase1-peaplabelproperty. Valid values areNone(unset), “0” (use old-style label), and “1” (use new-style label). See the wpa_supplicant documentation for more details.- Return type:
- get_phase1_peapver()¶
- Returns:
the “phase 1” PEAP version to be used when authenticating with EAP-PEAP as contained in the
NM.Setting8021x:phase1-peapverproperty. Valid values areNone(unset), “0” (PEAP version 0), and “1” (PEAP version 1).- Return type:
- get_phase2_altsubject_match(i)¶
- Parameters:
i (
int) – the zero-based index of the array of “phase 2” altSubjectName matches- Returns:
the “phase 2” altSubjectName match at index i
- Return type:
Returns the “phase 2” altSubjectName match at index i.
- get_phase2_auth()¶
- Returns:
the “phase 2” non-EAP (ex MD5) allowed authentication method as specified by the
NM.Setting8021x:phase2-authproperty.- Return type:
- get_phase2_autheap()¶
- Returns:
the “phase 2” EAP-based (ex TLS) allowed authentication method as specified by the
NM.Setting8021x:phase2-autheapproperty.- Return type:
- get_phase2_ca_cert_blob()¶
- Returns:
the “phase 2” CA certificate data
- Return type:
Returns the “phase 2” CA certificate blob if the CA certificate is stored using the
NM.Setting8021xCKScheme.BLOBscheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
- get_phase2_ca_cert_password()¶
- Returns:
the password used to access the “phase2” CA certificate stored in
NM.Setting8021x:phase2-ca-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.- Return type:
New in version 1.8.
- get_phase2_ca_cert_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:phase2-private-key-password- Return type:
New in version 1.8.
- get_phase2_ca_cert_path()¶
- Returns:
path to the “phase 2” CA certificate file
- Return type:
Returns the “phase 2” CA certificate path if the CA certificate is stored using the
NM.Setting8021xCKScheme.PATHscheme. Not all EAP methods use a CA certificate (LEAP for example), and those that can take advantage of the CA certificate allow it to be unset. Note that lack of a CA certificate reduces security by allowing man-in-the-middle attacks, because the identity of the network cannot be confirmed by the client.
- get_phase2_ca_cert_scheme()¶
- Returns:
scheme used to store the “phase 2” CA certificate (blob or path)
- Return type:
Returns the scheme used to store the “phase 2” CA certificate. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_ca_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_ca_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_ca_cert_uri().
- get_phase2_ca_cert_uri()¶
- Returns:
the URI string
- Return type:
Returns the “phase 2” CA certificate URI analogously to
NM.Setting8021x.get_phase2_ca_cert_blob() andNM.Setting8021x.get_phase2_ca_cert_path().Currently, it’s limited to PKCS# 11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_phase2_ca_path()¶
- Returns:
the “phase 2” CA certificate directory path
- Return type:
Returns the path of the “phase 2” CA certificate directory if previously set. Systems will often have a directory that contains multiple individual CA certificates which the supplicant can then add to the verification chain. This may be used in addition to the
NM.Setting8021x:phase2-ca-certproperty to add more CA certificates for verifying the network to client.
- get_phase2_client_cert_blob()¶
- Returns:
the “phase 2” client certificate data
- Return type:
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_phase2_client_cert_password()¶
- Returns:
the password used to access the “phase2” client certificate stored in
NM.Setting8021x:phase2-client-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.- Return type:
New in version 1.8.
- get_phase2_client_cert_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:phase2-client-cert-password- Return type:
New in version 1.8.
- get_phase2_client_cert_path()¶
- Returns:
path to the “phase 2” client certificate file
- Return type:
Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_phase2_client_cert_scheme()¶
- Returns:
scheme used to store the “phase 2” client certificate (blob or path)
- Return type:
Returns the scheme used to store the “phase 2” client certificate. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_client_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_client_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_client_cert_uri().
- get_phase2_client_cert_uri()¶
- Returns:
the URI string
- Return type:
Returns the “phase 2” client certificate URI analogously to
NM.Setting8021x.get_phase2_ca_cert_blob() andNM.Setting8021x.get_phase2_ca_cert_path().Currently, it’s limited to PKCS# 11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_phase2_domain_match()¶
- Returns:
the
NM.Setting8021x:phase2-domain-matchproperty.- Return type:
New in version 1.24.
- get_phase2_domain_suffix_match()¶
- Returns:
the
NM.Setting8021x:phase2-domain-suffix-matchproperty.- Return type:
New in version 1.2.
- get_phase2_private_key_blob()¶
- Returns:
the “phase 2” private key data
- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
WARNING: the phase2 private key property is not a “secret” property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.
- get_phase2_private_key_format()¶
- Returns:
the data format of the “phase 2” private key data stored in the
NM.Setting8021x:phase2-private-keyproperty- Return type:
- get_phase2_private_key_password()¶
- Returns:
the private key password used to decrypt the private key if previously set with
NM.Setting8021x.set_phase2_private_key() or theNM.Setting8021x:phase2-private-key-passwordproperty.- Return type:
- get_phase2_private_key_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:phase2-private-key-password- Return type:
- get_phase2_private_key_path()¶
- Returns:
path to the “phase 2” private key file
- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_phase2_private_key_scheme()¶
- Returns:
scheme used to store the “phase 2” private key (blob or path)
- Return type:
Returns the scheme used to store the “phase 2” private key. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_client_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_client_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_client_cert_uri().
- get_phase2_private_key_uri()¶
- Returns:
the URI string
- Return type:
Returns the “phase 2” private key URI analogously to
NM.Setting8021x.get_phase2_private_key_blob() andNM.Setting8021x.get_phase2_private_key_path().Currently, it’s limited to PKCS# 11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_phase2_subject_match()¶
- Returns:
the
NM.Setting8021x:phase2-subject-matchproperty. This is the substring to be matched against the subject of the “phase 2” authentication server certificate, orNoneno subject verification is to be performed.- Return type:
- get_pin()¶
- Returns:
the PIN used by the authentication method, if any, as specified by the
NM.Setting8021x:pinproperty- Return type:
- get_pin_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:pin- Return type:
- get_private_key_blob()¶
- Returns:
the private key data
- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
WARNING: the private key property is not a “secret” property, and thus unencrypted private key data may be readable by unprivileged users. Private keys should always be encrypted with a private key password.
- get_private_key_format()¶
- Returns:
the data format of the private key data stored in the
NM.Setting8021x:private-keyproperty- Return type:
- get_private_key_password()¶
- Returns:
the private key password used to decrypt the private key if previously set with
NM.Setting8021x.set_private_key(), or theNM.Setting8021x:private-key-passwordproperty.- Return type:
- get_private_key_password_flags()¶
- Returns:
the
NM.SettingSecretFlagspertaining to theNM.Setting8021x:private-key-password- Return type:
- get_private_key_path()¶
- Returns:
path to the private key file
- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- get_private_key_scheme()¶
- Returns:
scheme used to store the private key (blob or path)
- Return type:
Returns the scheme used to store the private key. If the returned scheme is
NM.Setting8021xCKScheme.BLOB, useNM.Setting8021x.get_client_cert_blob(); ifNM.Setting8021xCKScheme.PATH, useNM.Setting8021x.get_client_cert_path(); ifNM.Setting8021xCKScheme.PKCS11, useNM.Setting8021x.get_client_cert_uri().
- get_private_key_uri()¶
- Returns:
the URI string
- Return type:
Returns the private key URI analogously to
NM.Setting8021x.get_private_key_blob() andNM.Setting8021x.get_private_key_path().Currently, it’s limited to PKCS# 11 URIs (‘pkcs11’ scheme as defined by RFC 7512), but may be extended to other schemes in future (such as ‘file’ URIs for local files and ‘data’ URIs for inline certificate data).
New in version 1.6.
- get_subject_match()¶
- Returns:
the
NM.Setting8021x:subject-matchproperty. This is the substring to be matched against the subject of the authentication server certificate, orNoneno subject verification is to be performed.- Return type:
- get_system_ca_certs()¶
-
Sets the
NM.Setting8021x:system-ca-certsproperty. TheNM.Setting8021x:ca-pathandNM.Setting8021x:phase2-ca-pathproperties are ignored if theNM.Setting8021x:system-ca-certsproperty isTrue, in which case a system-wide CA certificate directory specified at compile time (using the –system-ca-path configure option) is used in place of these properties.
- remove_altsubject_match(i)¶
- Parameters:
i (
int) – the index of the altSubjectName match to remove
Removes the allowed altSubjectName at the specified index.
- remove_altsubject_match_by_value(altsubject_match)¶
- Parameters:
altsubject_match (
str) – the altSubjectName to remove- Returns:
Trueif the alternative subject name match was found and removed,Falseif it was not.- Return type:
Removes the allowed altSubjectName altsubject_match.
- remove_eap_method(i)¶
- Parameters:
i (
int) – the index of the EAP method to remove
Removes the allowed EAP method at the specified index.
- remove_eap_method_by_value(eap)¶
- Parameters:
eap (
str) – the name of the EAP method to remove- Returns:
Trueif the EAP method was founs and removed,Falseif it was not.- Return type:
Removes the allowed EAP method method.
- remove_phase2_altsubject_match(i)¶
- Parameters:
i (
int) – the index of the “phase 2” altSubjectName match to remove
Removes the allowed “phase 2” altSubjectName at the specified index.
- remove_phase2_altsubject_match_by_value(phase2_altsubject_match)¶
- Parameters:
phase2_altsubject_match (
str) – the “phase 2” altSubjectName to remove- Returns:
Trueif the alternative subject name match for “phase 2” was found and removed,Falseif it was not.- Return type:
Removes the allowed “phase 2” altSubjectName phase2_altsubject_match.
- set_ca_cert(value, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the CA certificate file (PEM or DER format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the CA certificate.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the certificateout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the certificate added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Reads a certificate from disk and sets the
NM.Setting8021x:ca-certproperty with the raw certificate data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the certificate file if using theNM.Setting8021xCKScheme.PATHscheme.
- set_client_cert(value, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the client certificate file (PEM, DER, or PKCS# 12 format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the client certificate.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the certificateout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the certificate added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Reads a certificate from disk and sets the
NM.Setting8021x:client-certproperty with the raw certificate data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the certificate file if using theNM.Setting8021xCKScheme.PATHscheme.Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- set_phase2_ca_cert(value, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the “phase2” CA certificate file (PEM or DER format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the “phase2” CA certificate.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the certificateout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the certificate added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Reads a certificate from disk and sets the
NM.Setting8021x:phase2-ca-certproperty with the raw certificate data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the certificate file if using theNM.Setting8021xCKScheme.PATHscheme.
- set_phase2_client_cert(value, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the “phase2” client certificate file (PEM, DER, or PKCS# 12 format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the “phase2” client certificate.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the certificateout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the certificate added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Reads a certificate from disk and sets the
NM.Setting8021x:phase2-client-certproperty with the raw certificate data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the certificate file if using theNM.Setting8021xCKScheme.PATHscheme.Client certificates are used to identify the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
- set_phase2_private_key(value, password, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the “phase2” private key file (PEM, DER, or PKCS# 12 format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the private key.password (
str) – password used to decrypt the private key, orNoneif the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the private keyout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the private key added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
This function reads a private key from disk and sets the
NM.Setting8021x:phase2-private-keyproperty with the private key file data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the private key file if using theNM.Setting8021xCKScheme.PATHscheme.If password is given, this function attempts to decrypt the private key to verify that password is correct, and if it is, updates the
NM.Setting8021x:phase2-private-key-passwordproperty with the given password. If the decryption is unsuccessful,Falseis returned, error is set, and no internal data is changed. If no password is given, the private key is assumed to be valid, no decryption is performed, and the password may be set at a later time.WARNING: the “phase2” private key property is not a “secret” property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
- set_private_key(value, password, scheme, out_format)¶
- Parameters:
value (
str) – when scheme is set to eitherNM.Setting8021xCKScheme.PATHorNM.Setting8021xCKScheme.BLOB, pass the path of the private key file (PEM, DER, or PKCS# 12 format). The path must be UTF-8 encoded; useGLib.filename_to_utf8() to convert if needed. PassingNonewith any scheme clears the private key.password (
str) – password used to decrypt the private key, orNoneif the password is unknown. If the password is given but fails to decrypt the private key, an error is returned.scheme (
NM.Setting8021xCKScheme) – desired storage scheme for the private keyout_format (
NM.Setting8021xCKFormat) – on successful return, the type of the private key added
- Raises:
- Returns:
Trueif the operation succeeded,Falseif it was unsuccessful- Return type:
Private keys are used to authenticate the connecting client to the network when EAP-TLS is used as either the “phase 1” or “phase 2” 802.1x authentication method.
This function reads a private key from disk and sets the
NM.Setting8021x:private-keyproperty with the private key file data if using theNM.Setting8021xCKScheme.BLOBscheme, or with the path to the private key file if using theNM.Setting8021xCKScheme.PATHscheme.If password is given, this function attempts to decrypt the private key to verify that password is correct, and if it is, updates the
NM.Setting8021x:private-key-passwordproperty with the given password. If the decryption is unsuccessful,Falseis returned, error is set, and no internal data is changed. If no password is given, the private key is assumed to be valid, no decryption is performed, and the password may be set at a later time.WARNING: the private key property is not a “secret” property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
Property Details¶
- NM.Setting8021x.props.altsubject_matches¶
-
List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate’s altSubjectName is performed.
- NM.Setting8021x.props.anonymous_identity¶
- Name:
anonymous-identity- Type:
- Default Value:
- Flags:
Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.
- NM.Setting8021x.props.auth_timeout¶
- Name:
auth-timeout- Type:
- Default Value:
0- Flags:
A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.
New in version 1.8.
- NM.Setting8021x.props.ca_cert¶
- Name:
ca-cert- Type:
- Default Value:
- Flags:
Contains the CA certificate if used by the EAP method specified in the
NM.Setting8021x:eapproperty.Certificate data is specified using a “scheme”; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate’s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string “file://” and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling
NM.Setting8021x:system-ca-certswill override this setting to use the built-in path, if the built-in path is not a directory.Setting this property directly is discouraged; use the
NM.Setting8021x.set_ca_cert() function instead.
- NM.Setting8021x.props.ca_cert_password¶
- Name:
ca-cert-password- Type:
- Default Value:
- Flags:
The password used to access the CA certificate stored in
NM.Setting8021x:ca-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.New in version 1.8.
- NM.Setting8021x.props.ca_cert_password_flags¶
- Name:
ca-cert-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:ca-cert-passwordproperty.New in version 1.8.
- NM.Setting8021x.props.ca_path¶
- Name:
ca-path- Type:
- Default Value:
- Flags:
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the
NM.Setting8021x:ca-certproperty.If
NM.Setting8021x:system-ca-certsis enabled and the built-in CA path is an existing directory, then this setting is ignored.
- NM.Setting8021x.props.client_cert¶
- Name:
client-cert- Type:
- Default Value:
- Flags:
Contains the client certificate if used by the EAP method specified in the
NM.Setting8021x:eapproperty.Certificate data is specified using a “scheme”; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate’s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string “file://” and ending with a terminating NUL byte.
Setting this property directly is discouraged; use the
NM.Setting8021x.set_client_cert() function instead.
- NM.Setting8021x.props.client_cert_password¶
- Name:
client-cert-password- Type:
- Default Value:
- Flags:
The password used to access the client certificate stored in
NM.Setting8021x:client-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.New in version 1.8.
- NM.Setting8021x.props.client_cert_password_flags¶
- Name:
client-cert-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:client-cert-passwordproperty.New in version 1.8.
- NM.Setting8021x.props.domain_match¶
- Name:
domain-match- Type:
- Default Value:
- Flags:
Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a “;” delimited list.
New in version 1.24.
- NM.Setting8021x.props.domain_suffix_match¶
- Name:
domain-suffix-match- Type:
- Default Value:
- Flags:
Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a “;” delimited list.
New in version 1.2.
- NM.Setting8021x.props.eap¶
-
The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: “leap”, “md5”, “tls”, “peap”, “ttls”, “pwd”, and “fast”. Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.
- NM.Setting8021x.props.identity¶
- Name:
identity- Type:
- Default Value:
- Flags:
Identity string for EAP authentication methods. Often the user’s user or login name.
- NM.Setting8021x.props.openssl_ciphers¶
- Name:
openssl-ciphers- Type:
- Default Value:
- Flags:
Define openssl_ciphers for wpa_supplicant. Openssl sometimes moves ciphers among SECLEVELs, thus compiled-in default value in wpa_supplicant (as modified by some linux distributions) sometimes prevents to connect to old servers that do not support new protocols.
New in version 1.48.
- NM.Setting8021x.props.optional¶
- Name:
optional- Type:
- Default Value:
- Flags:
Whether the 802.1X authentication is optional. If
True, the activation will continue even after a timeout or an authentication failure. Setting the property toTrueis currently allowed only for Ethernet connections. If set toFalse, the activation can continue only after a successful authentication.New in version 1.22.
- NM.Setting8021x.props.pac_file¶
- Name:
pac-file- Type:
- Default Value:
- Flags:
UTF-8 encoded file path containing PAC for EAP-FAST.
- NM.Setting8021x.props.password¶
- Name:
password- Type:
- Default Value:
- Flags:
UTF-8 encoded password used for EAP authentication methods. If both the
NM.Setting8021x:passwordproperty and theNM.Setting8021x:password-rawproperty are specified,NM.Setting8021x:passwordis preferred.
- NM.Setting8021x.props.password_flags¶
- Name:
password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:passwordproperty.
- NM.Setting8021x.props.password_raw¶
- Name:
password-raw- Type:
- Default Value:
- Flags:
Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the
NM.Setting8021x:passwordproperty and theNM.Setting8021x:password-rawproperty are specified,NM.Setting8021x:passwordis preferred.
- NM.Setting8021x.props.password_raw_flags¶
- Name:
password-raw-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:password-rawproperty.
- NM.Setting8021x.props.phase1_auth_flags¶
- Name:
phase1-auth-flags- Type:
- Default Value:
0- Flags:
Specifies authentication flags to use in “phase 1” outer authentication using
NM.Setting8021xAuthFlagsoptions. The individual TLS versions can be explicitly disabled. TLS time checks can be also disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x and tls_disable_time_checks settings. See the wpa_supplicant documentation for more details.New in version 1.8.
- NM.Setting8021x.props.phase1_fast_provisioning¶
- Name:
phase1-fast-provisioning- Type:
- Default Value:
- Flags:
Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the
NM.Setting8021x:eapproperty. Recognized values are “0” (disabled), “1” (allow unauthenticated provisioning), “2” (allow authenticated provisioning), and “3” (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details.
- NM.Setting8021x.props.phase1_peaplabel¶
- Name:
phase1-peaplabel- Type:
- Default Value:
- Flags:
Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to “1” to force use of the new PEAP label. See the wpa_supplicant documentation for more details.
- NM.Setting8021x.props.phase1_peapver¶
- Name:
phase1-peapver- Type:
- Default Value:
- Flags:
Forces which PEAP version is used when PEAP is set as the EAP method in the
NM.Setting8021x:eapproperty. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to “0” or “1” to force that specific PEAP version.
- NM.Setting8021x.props.phase2_altsubject_matches¶
-
List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner “phase 2” authentication. If the list is empty, no verification of the server certificate’s altSubjectName is performed.
- NM.Setting8021x.props.phase2_auth¶
- Name:
phase2-auth- Type:
- Default Value:
- Flags:
Specifies the allowed “phase 2” inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the
NM.Setting8021x:eapproperty. For TTLS this property selects one of the supported non-EAP inner methods: “pap”, “chap”, “mschap”, “mschapv2” whileNM.Setting8021x:phase2-autheapselects an EAP inner method. For PEAP this selects an inner EAP method, one of: “gtc”, “otp”, “md5” and “tls”. Each “phase 2” inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. BothNM.Setting8021x:phase2-authandNM.Setting8021x:phase2-autheapcannot be specified.
- NM.Setting8021x.props.phase2_autheap¶
- Name:
phase2-autheap- Type:
- Default Value:
- Flags:
Specifies the allowed “phase 2” inner EAP-based authentication method when TTLS is specified in the
NM.Setting8021x:eapproperty. Recognized EAP-based “phase 2” methods are “md5”, “mschapv2”, “otp”, “gtc”, and “tls”. Each “phase 2” inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.
- NM.Setting8021x.props.phase2_ca_cert¶
- Name:
phase2-ca-cert- Type:
- Default Value:
- Flags:
Contains the “phase 2” CA certificate if used by the EAP method specified in the
NM.Setting8021x:phase2-authorNM.Setting8021x:phase2-autheapproperties.Certificate data is specified using a “scheme”; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate’s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string “file://” and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling
NM.Setting8021x:system-ca-certswill override this setting to use the built-in path, if the built-in path is not a directory.Setting this property directly is discouraged; use the
NM.Setting8021x.set_phase2_ca_cert() function instead.
- NM.Setting8021x.props.phase2_ca_cert_password¶
- Name:
phase2-ca-cert-password- Type:
- Default Value:
- Flags:
The password used to access the “phase2” CA certificate stored in
NM.Setting8021x:phase2-ca-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.New in version 1.8.
- NM.Setting8021x.props.phase2_ca_cert_password_flags¶
- Name:
phase2-ca-cert-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:phase2-ca-cert-passwordproperty.New in version 1.8.
- NM.Setting8021x.props.phase2_ca_path¶
- Name:
phase2-ca-path- Type:
- Default Value:
- Flags:
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the
NM.Setting8021x:phase2-ca-certproperty.If
NM.Setting8021x:system-ca-certsis enabled and the built-in CA path is an existing directory, then this setting is ignored.
- NM.Setting8021x.props.phase2_client_cert¶
- Name:
phase2-client-cert- Type:
- Default Value:
- Flags:
Contains the “phase 2” client certificate if used by the EAP method specified in the
NM.Setting8021x:phase2-authorNM.Setting8021x:phase2-autheapproperties.Certificate data is specified using a “scheme”; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate’s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string “file://” and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
Setting this property directly is discouraged; use the
NM.Setting8021x.set_phase2_client_cert() function instead.
- NM.Setting8021x.props.phase2_client_cert_password¶
- Name:
phase2-client-cert-password- Type:
- Default Value:
- Flags:
The password used to access the “phase2” client certificate stored in
NM.Setting8021x:phase2-client-certproperty. Only makes sense if the certificate is stored on a PKCS# 11 token that requires a login.New in version 1.8.
- NM.Setting8021x.props.phase2_client_cert_password_flags¶
- Name:
phase2-client-cert-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:phase2-client-cert-passwordproperty.New in version 1.8.
- NM.Setting8021x.props.phase2_domain_match¶
- Name:
phase2-domain-match- Type:
- Default Value:
- Flags:
Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner “phase 2” authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a “;” delimited list.
New in version 1.24.
- NM.Setting8021x.props.phase2_domain_suffix_match¶
- Name:
phase2-domain-suffix-match- Type:
- Default Value:
- Flags:
Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner “phase 2” authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a “;” delimited list.
New in version 1.2.
- NM.Setting8021x.props.phase2_private_key¶
- Name:
phase2-private-key- Type:
- Default Value:
- Flags:
Contains the “phase 2” inner private key when the
NM.Setting8021x:phase2-authorNM.Setting8021x:phase2-autheapproperty is set to “tls”.Key data is specified using a “scheme”; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key’s encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string “file://” and ending with a terminating NUL byte. When using PKCS# 12 format private keys and the blob scheme, this property should be set to the PKCS# 12 data and the
NM.Setting8021x:phase2-private-key-passwordproperty must be set to password used to decrypt the PKCS# 12 certificate and key. When using PKCS# 12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string “file://” and ending with a terminating NUL byte, and as with the blob scheme theNM.Setting8021x:phase2-private-key-passwordproperty must be set to the password used to decode the PKCS# 12 private key and certificate.Setting this property directly is discouraged; use the
NM.Setting8021x.set_phase2_private_key() function instead.
- NM.Setting8021x.props.phase2_private_key_password¶
- Name:
phase2-private-key-password- Type:
- Default Value:
- Flags:
The password used to decrypt the “phase 2” private key specified in the
NM.Setting8021x:phase2-private-keyproperty when the private key either uses the path scheme, or is a PKCS# 12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by theNM.Setting8021x.set_phase2_private_key() function.
- NM.Setting8021x.props.phase2_private_key_password_flags¶
- Name:
phase2-private-key-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:phase2-private-key-passwordproperty.
- NM.Setting8021x.props.phase2_subject_match¶
- Name:
phase2-subject-match- Type:
- Default Value:
- Flags:
Substring to be matched against the subject of the certificate presented by the authentication server during the inner “phase 2” authentication. When unset, no verification of the authentication server certificate’s subject is performed. This property provides little security, if any, and should not be used.
Deprecated since version 1.2: Use
NM.Setting8021x:phase2-domain-suffix-matchinstead.
- NM.Setting8021x.props.pin¶
- Name:
pin- Type:
- Default Value:
- Flags:
PIN used for EAP authentication methods.
- NM.Setting8021x.props.pin_flags¶
- Name:
pin-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:pinproperty.
- NM.Setting8021x.props.private_key¶
- Name:
private-key- Type:
- Default Value:
- Flags:
Contains the private key when the
NM.Setting8021x:eapproperty is set to “tls”.Key data is specified using a “scheme”; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key’s encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string “file://” and ending with a terminating NUL byte. When using PKCS# 12 format private keys and the blob scheme, this property should be set to the PKCS# 12 data and the
NM.Setting8021x:private-key-passwordproperty must be set to password used to decrypt the PKCS# 12 certificate and key. When using PKCS# 12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string “file://” and ending with a terminating NUL byte, and as with the blob scheme the “private-key-password” property must be set to the password used to decode the PKCS# 12 private key and certificate.Setting this property directly is discouraged; use the
NM.Setting8021x.set_private_key() function instead.WARNING:
NM.Setting8021x:private-keyis not a “secret” property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
- NM.Setting8021x.props.private_key_password¶
- Name:
private-key-password- Type:
- Default Value:
- Flags:
The password used to decrypt the private key specified in the
NM.Setting8021x:private-keyproperty when the private key either uses the path scheme, or if the private key is a PKCS# 12 format key. Setting this property directly is not generally necessary except when returning secrets to NetworkManager; it is generally set automatically when setting the private key by theNM.Setting8021x.set_private_key() function.
- NM.Setting8021x.props.private_key_password_flags¶
- Name:
private-key-password-flags- Type:
- Default Value:
- Flags:
Flags indicating how to handle the
NM.Setting8021x:private-key-passwordproperty.
- NM.Setting8021x.props.subject_match¶
- Name:
subject-match- Type:
- Default Value:
- Flags:
Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate’s subject is performed. This property provides little security, if any, and should not be used.
Deprecated since version 1.2: Use
NM.Setting8021x:phase2-domain-suffix-matchinstead.
- NM.Setting8021x.props.system_ca_certs¶
- Name:
system-ca-certs- Type:
- Default Value:
- Flags:
When
True, overrides theNM.Setting8021x:ca-pathandNM.Setting8021x:phase2-ca-pathproperties using the system CA directory specified at configure time with the –system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by theNM.Setting8021x:ca-certandNM.Setting8021x:phase2-ca-certproperties. If the path provided with –system-ca-path is rather a file name (bundle of trusted CA certificates), it overridesNM.Setting8021x:ca-certandNM.Setting8021x:phase2-ca-certproperties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).