1NM-SETTINGS-KEYFILE(5) Configuration NM-SETTINGS-KEYFILE(5)
2
3
4
6 nm-settings-keyfile - Description of keyfile settings plugin
7
9 NetworkManager is based on the concept of connection profiles that
10 contain network configuration (see nm-settings(5) for details). The
11 profiles can be stored in various formats. NetworkManager uses plugins
12 for reading and writing the data. The plugins can be configured in
13 NetworkManager.conf(5).
14
15 The keyfile plugin is the generic plugin that supports all the
16 connection types and capabilities that NetworkManager has. It writes
17 files out in a .ini-style format in
18 /etc/NetworkManager/system-connections/. This plugin is always enabled
19 and will automatically be used to store any connections that are not
20 supported by any other active plugin. For security, it will ignore
21 files that are readable or writable by any user or group other than
22 'root' since private keys and passphrases may be stored in plaintext
23 inside the file.
24
26 The keyfile config format is a simple .ini-style format. It consists of
27 sections (groups) of key-value pairs. Each section corresponds to a
28 setting name as described in the settings specification (nm-
29 settings(5)). Each configuration key/value pair in the section is one
30 of the properties listed in the settings specification. The majority of
31 properties of the specification is written in the same format into the
32 keyfile too. However some values are inconvenient for people to use.
33 These are stored in the files in more readable ways. These properties
34 are described below. An example could be IP addresses that are not
35 written as integer arrays, but more reasonably as "1.2.3.4/12
36 1.2.3.254". More information of the generic key file format can be
37 found at GLib key file format[1] (Lines beginning with a '#' are
38 comments, lists are separated by character ; etc.).
39
40 Users can create or modify the keyfile connection files manually, even
41 if that is not the recommended way of managing the profiles. However,
42 if they choose to do that, they must inform NetworkManager about their
43 changes (see monitor-connection-file in nm-settings(5) and nmcli con
44 (re)load).
45
46 Examples of keyfile configuration.
47
48 A sample configuration for an ethernet network:
49 [connection]
50 id=Main eth0
51 uuid=27afa607-ee36-43f0-b8c3-9d245cdc4bb3
52 type=802-3-ethernet
53 autoconnect=true
54
55 [ipv4]
56 method=auto
57
58 [802-3-ethernet]
59 mac-address=00:23:5a:47:1f:71
60
61
62
63 A sample configuration for WPA-EAP (PEAP with MSCHAPv2) and always-ask secret:
64 [connection]
65 id=CompanyWIFI
66 uuid=cdac6154-a33b-4b15-9904-666772cfa5ee
67 type=wifi
68 autoconnect=false
69
70 [wifi]
71 ssid=CorpWLAN
72 mode=infrastructure
73 security=802-11-wireless-security
74
75 [wifi-security]
76 key-mgmt=wpa-eap
77
78 [ipv4]
79 method=auto
80
81 [ipv6]
82 method=auto
83
84 [802-1x]
85 eap=peap;
86 identity=joe
87 ca-cert=/home/joe/.cert/corp.crt
88 phase1-peapver=1
89 phase2-auth=mschapv2
90 password-flags=2
91
92
93
94 A sample configuration for openvpn:
95 [connection]
96 id=RedHat-openvpn
97 uuid=7f9b3356-b210-4c0e-8123-bd116c9c280f
98 type=vpn
99 timestamp=1385401165
100
101 [vpn]
102 service-type=org.freedesktop.NetworkManager.openvpn
103 connection-type=password
104 password-flags=3
105 remote=ovpn.my-company.com
106 cipher=AES-256-CBC
107 reneg-seconds=0
108 port=443
109 username=joe
110 ca=/etc/openvpn/ISCA.pem
111 tls-remote=ovpn.my-company.com
112
113 [ipv6]
114 method=auto
115
116 [ipv4]
117 method=auto
118 ignore-auto-dns=true
119 never-default=true
120
121
122
123 A sample configuration for a bridge and a bridge port:
124 [connection] [connection]
125 id=MainBridge id=br-port-1
126 uuid=171ae855-a0ab-42b6-bd0c-60f5812eea9d uuid=d6e8ae98-71f8-4b3d-9d2d-2e26048fe794
127 interface-name=MainBridge interface-name=em1
128 type=bridge type=ethernet
129 master=MainBridge
130 [bridge] slave-type=bridge
131 interface-name=MainBridge
132
133
134
135 A sample configuration for a VLAN:
136 [connection]
137 id=VLAN for building 4A
138 uuid=8ce1c9e0-ce7a-4d2c-aa28-077dda09dd7e
139 interface-name=VLAN-4A
140 type=vlan
141
142 [vlan]
143 interface-name=VLAN-4A
144 parent=eth0
145 id=4
146
147
149 keyfile plugin variables for the majority of NetworkManager properties
150 have one-to-one mapping. It means a NetworkManager property is stored
151 in the keyfile as a variable of the same name and in the same format.
152 There are several exceptions to this rule, mainly for making keyfile
153 syntax easier for humans. The exceptions handled specially by keyfile
154 plugin are listed below. Refer to nm-settings(5) for all available
155 settings and properties and their description.
156
157 Name aliases. Some of the NetworkManager setting names are somewhat
158 hard to type or remember. Therefore keyfile introduces aliases that can
159 be used instead of the names.
160 setting name keyfile alias
161 802-3-ethernet = ethernet
162 802-11-wireless = wifi
163 802-11-wireless-security = wifi-security
164
165 Table 1. bridge setting (section)
166 ┌────────────┬──────────────────┬───────────────────────┬──────────────────────────────────┐
167 │Property │ Keyfile Variable │ Format │ Description │
168 ├────────────┼──────────────────┼───────────────────────┼──────────────────────────────────┤
169 │mac-address │ mac-address │ usual │ MAC address in │
170 │ │ │ hex-digits-and-colons │ traditional │
171 │ │ │ notation │ hex-digits-and-colons │
172 │ │ │ │ notation, or │
173 │ │ │ │ semicolon │
174 │ │ │ │ separated list │
175 │ │ │ │ of 6 decimal │
176 │ │ │ │ bytes (obsolete) │
177 │ │ │ │ │
178 │ │ │ │ Example: │
179 │ │ │ │ mac-address=00:22:68:12:79:A2 │
180 │ │ │ │ mac-address=0;34;104;18;121;162; │
181 └────────────┴──────────────────┴───────────────────────┴──────────────────────────────────┘
182
183 Table 2. infiniband setting (section)
184 ┌────────────┬──────────────────┬───────────────────────┬─────────────────────────────────────────────────────────────┐
185 │Property │ Keyfile Variable │ Format │ Description │
186 ├────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────────────────────────────┤
187 │mac-address │ mac-address │ usual │ MAC address in │
188 │ │ │ hex-digits-and-colons │ traditional │
189 │ │ │ notation │ hex-digits-and-colons │
190 │ │ │ │ notation, or or │
191 │ │ │ │ semicolon │
192 │ │ │ │ separated list │
193 │ │ │ │ of 20 decimal │
194 │ │ │ │ bytes (obsolete) │
195 │ │ │ │ │
196 │ │ │ │ Example: │
197 │ │ │ │ mac-address= │
198 │ │ │ │ 80:00:00:6d:fe:80:00:00:00:00:00:00:00:02:55:00:70:33:cf:01 │
199 └────────────┴──────────────────┴───────────────────────┴─────────────────────────────────────────────────────────────┘
200
201 Table 3. ipv4 setting (section)
202 ┌──────────┬──────────────────┬─────────────────────────────┬───────────────────────────────┐
203 │Property │ Keyfile Variable │ Format │ Description │
204 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
205 │dns │ dns │ list of DNS IP │ List of DNS │
206 │ │ │ addresses │ servers. │
207 │ │ │ │ │
208 │ │ │ │ Example: │
209 │ │ │ │ dns=1.2.3.4;8.8.8.8;8.8.4.4; │
210 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
211 │addresses │ address1, │ address/plen │ List of static IP addresses. │
212 │ │ address2, ... │ │ │
213 │ │ │ │ Example: │
214 │ │ │ │ address1=192.168.100.100/24 │
215 │ │ │ │ address2=10.1.1.5/24 │
216 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
217 │gateway │ gateway │ string │ Gateway IP addresses as a │
218 │ │ │ │ string. │
219 │ │ │ │ │
220 │ │ │ │ Example: │
221 │ │ │ │ gateway=192.168.100.1 │
222 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
223 │routes │ route1, route2, │ route/plen[,gateway,metric] │ List of IP routes. │
224 │ │ ... │ │ │
225 │ │ │ │ Example: │
226 │ │ │ │ route1=8.8.8.0/24,10.1.1.1,77 │
227 │ │ │ │ route2=7.7.0.0/16 │
228 └──────────┴──────────────────┴─────────────────────────────┴───────────────────────────────┘
229
230 Table 4. ipv6 setting (section)
231 ┌──────────┬──────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
232 │Property │ Keyfile Variable │ Format │ Description │
233 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
234 │dns │ dns │ list of DNS IP │ List of DNS │
235 │ │ │ addresses │ servers. │
236 │ │ │ │ │
237 │ │ │ │ Example: │
238 │ │ │ │ dns=2001:4860:4860::8888;2001:4860:4860::8844; │
239 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
240 │addresses │ address1, │ address/plen │ List of static IP addresses. │
241 │ │ address2, ... │ │ │
242 │ │ │ │ Example: address1=abbe::cafe/96 │
243 │ │ │ │ address2=2001::1234 │
244 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
245 │gateway │ gateway │ string │ Gateway IP addresses as a string. │
246 │ │ │ │ │
247 │ │ │ │ Example: gateway=abbe::1 │
248 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
249 │routes │ route1, route2, │ route/plen[,gateway,metric] │ List of IP routes. │
250 │ │ ... │ │ │
251 │ │ │ │ Example: │
252 │ │ │ │ route1=2001:4860:4860::/64,2620:52:0:2219:222:68ff:fe11:5403 │
253 └──────────┴──────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘
254
255 Table 5. serial setting (section)
256 ┌─────────┬──────────────────┬──────────────────┬─────────────────┐
257 │Property │ Keyfile Variable │ Format │ Description │
258 ├─────────┼──────────────────┼──────────────────┼─────────────────┤
259 │parity │ parity │ 'e', 'o', or 'n' │ The connection │
260 │ │ │ │ parity; even, │
261 │ │ │ │ odd, or none. │
262 │ │ │ │ Note that older │
263 │ │ │ │ versions of │
264 │ │ │ │ NetworkManager │
265 │ │ │ │ stored this as │
266 │ │ │ │ an integer: 69 │
267 │ │ │ │ ('E') for even, │
268 │ │ │ │ 111 ('o') for │
269 │ │ │ │ odd, or 110 │
270 │ │ │ │ ('n') for none. │
271 │ │ │ │ │
272 │ │ │ │ Example: │
273 │ │ │ │ parity=n │
274 └─────────┴──────────────────┴──────────────────┴─────────────────┘
275
276 Table 6. vpn setting (section)
277 ┌─────────┬──────────────────┬────────┬───────────────────────┐
278 │Property │ Keyfile Variable │ Format │ Description │
279 ├─────────┼──────────────────┼────────┼───────────────────────┤
280 │data │ separate │ │ The keys of the │
281 │ │ variables named │ │ data dictionary │
282 │ │ after keys of │ │ are used as │
283 │ │ the dictionary │ │ variable names │
284 │ │ │ │ directly under │
285 │ │ │ │ [vpn] section. │
286 │ │ │ │ │
287 │ │ │ │ Example: │
288 │ │ │ │ remote=ovpn.corp.com │
289 │ │ │ │ cipher=AES-256-CBC │
290 │ │ │ │ username=joe │
291 ├─────────┼──────────────────┼────────┼───────────────────────┤
292 │secrets │ separate │ │ The keys of the │
293 │ │ variables named │ │ secrets dictionary │
294 │ │ after keys of │ │ are used as variable │
295 │ │ the dictionary │ │ names directly under │
296 │ │ │ │ [vpn-secrets] │
297 │ │ │ │ section. │
298 │ │ │ │ │
299 │ │ │ │ Example: │
300 │ │ │ │ password=Popocatepetl │
301 └─────────┴──────────────────┴────────┴───────────────────────┘
302
303 Table 7. 802-3-ethernet setting (section)
304 ┌──────────────────────┬───────────────────────┬───────────────────────┬─────────────────────────────────────┐
305 │Property │ Keyfile Variable │ Format │ Description │
306 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
307 │mac-address │ mac-address │ usual │ MAC address in │
308 │ │ │ hex-digits-and-colons │ traditional │
309 │ │ │ notation │ hex-digits-and-colons │
310 │ │ │ │ notation (e.g. │
311 │ │ │ │ 00:22:68:12:79:A2), │
312 │ │ │ │ or semicolon │
313 │ │ │ │ separated list │
314 │ │ │ │ of 6 bytes │
315 │ │ │ │ (obsolete) (e.g. │
316 │ │ │ │ 0;34;104;18;121;162) │
317 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
318 │cloned-mac-address │ cloned-mac-address │ usual │ Cloned MAC address in │
319 │ │ │ hex-digits-and-colons │ traditional │
320 │ │ │ notation │ hex-digits-and-colons │
321 │ │ │ │ notation (e.g. │
322 │ │ │ │ 00:22:68:12:79:B2), │
323 │ │ │ │ or semicolon │
324 │ │ │ │ separated list of 6 │
325 │ │ │ │ bytes (obsolete) │
326 │ │ │ │ (e.g. │
327 │ │ │ │ 0;34;104;18;121;178). │
328 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
329 │mac-address-blacklist │ mac-address-blacklist │ list of MACs │ MAC address │
330 │ │ │ (separated with │ blacklist. │
331 │ │ │ semicolons) │ │
332 │ │ │ │ Example: │
333 │ │ │ │ mac-address-blacklist= │
334 │ │ │ │ 00:22:68:12:79:A6;00:22:68:12:79:78 │
335 └──────────────────────┴───────────────────────┴───────────────────────┴─────────────────────────────────────┘
336
337 Table 8. 802-11-wireless setting (section)
338 ┌──────────────────────┬───────────────────────┬───────────────────────┬─────────────────────────────────────┐
339 │Property │ Keyfile Variable │ Format │ Description │
340 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
341 │ssid │ ssid │ string (or │ SSID of Wi-Fi │
342 │ │ │ decimal-byte │ network. │
343 │ │ │ list - obsolete) │ │
344 │ │ │ │ Example: │
345 │ │ │ │ ssid=Quick Net │
346 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
347 │mac-address │ mac-address │ usual │ MAC address in │
348 │ │ │ hex-digits-and-colons │ traditional │
349 │ │ │ notation │ hex-digits-and-colons │
350 │ │ │ │ notation (e.g. │
351 │ │ │ │ 00:22:68:12:79:A2), │
352 │ │ │ │ or semicolon │
353 │ │ │ │ separated list │
354 │ │ │ │ of 6 bytes │
355 │ │ │ │ (obsolete) (e.g. │
356 │ │ │ │ 0;34;104;18;121;162). │
357 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
358 │cloned-mac-address │ cloned-mac-address │ usual │ Cloned MAC address in │
359 │ │ │ hex-digits-and-colons │ traditional │
360 │ │ │ notation │ hex-digits-and-colons │
361 │ │ │ │ notation (e.g. │
362 │ │ │ │ 00:22:68:12:79:B2), │
363 │ │ │ │ or semicolon │
364 │ │ │ │ separated list of 6 │
365 │ │ │ │ bytes (obsolete) │
366 │ │ │ │ (e.g. │
367 │ │ │ │ 0;34;104;18;121;178). │
368 ├──────────────────────┼───────────────────────┼───────────────────────┼─────────────────────────────────────┤
369 │mac-address-blacklist │ mac-address-blacklist │ list of MACs │ MAC address │
370 │ │ │ (separated with │ blacklist. │
371 │ │ │ semicolons) │ │
372 │ │ │ │ Example: │
373 │ │ │ │ mac-address-blacklist= │
374 │ │ │ │ 00:22:68:12:79:A6;00:22:68:12:79:78 │
375 └──────────────────────┴───────────────────────┴───────────────────────┴─────────────────────────────────────┘
376
377 Table 9. wpan setting (section)
378 ┌────────────┬──────────────────┬───────────────────────┬───────────────────────────┐
379 │Property │ Keyfile Variable │ Format │ Description │
380 ├────────────┼──────────────────┼───────────────────────┼───────────────────────────┤
381 │mac-address │ mac-address │ usual │ MAC address in │
382 │ │ │ hex-digits-and-colons │ hex-digits-and-colons │
383 │ │ │ notation │ notation (e.g. │
384 │ │ │ │ 76:d8:9b:87:66:60:84:ee). │
385 └────────────┴──────────────────┴───────────────────────┴───────────────────────────┘
386
387 Secret flags
388 Each secret property in a NetworkManager setting has an associated
389 flags property that describes how to handle that secret. In the keyfile
390 plugin, the value of -flags variable is a decimal number (0 - 7)
391 defined as a sum of the following values:
392
393 · 0 - (NM owned) - the system is responsible for providing and
394 storing this secret.
395
396 · 1 - (agent-owned) - a user-session secret agent is responsible for
397 providing and storing this secret; when it is required, agents will
398 be asked to provide it.
399
400 · 2 - (not-saved) - this secret should not be saved but should be
401 requested from the user each time it is required.
402
403 · 4 - (not-required) - in some situations it cannot be automatically
404 determined that a secret is required or not. This flag hints that
405 the secret is not required and should not be requested from the
406 user.
407
409 /etc/NetworkManager/system-connections/*
410
412 nm-settings(5), nm-settings-ifcfg-rh(5), NetworkManager(8),
413 NetworkManager.conf(5), nmcli(1), nmcli-examples(7)
414
416 1. GLib key file format
417 https://developer.gnome.org/glib/stable/glib-Key-value-file-parser.html#glib-Key-value-file-parser.description
418
419
420
421NetworkManager 1.14.0 NM-SETTINGS-KEYFILE(5)