1NM-SETTINGS-KEYFILE(5) Configuration NM-SETTINGS-KEYFILE(5)
2
6 nm-settings-keyfile - Description of keyfile settings plugin
7
9 NetworkManager is based on the concept of connection profiles that
10 contain network configuration (see nm-settings(5) for details). The
11 profiles can be stored in various formats. NetworkManager uses plugins
12 for reading and writing the data. The plugins can be configured in
13 NetworkManager.conf(5).
14 The keyfile plugin is the generic plugin that supports all the
16 connection types and capabilities that NetworkManager has. The files
17 are in a .ini-style format and located in
18 /etc/NetworkManager/system-connections/,
19 /usr/lib/NetworkManager/system-connections/ and
20 /run/NetworkManager/system-connections/. This plugin is always enabled
21 and will automatically be used to store any connections that are not
22 supported by any other active plugin. For security, it will ignore
23 files that are readable or writable by any user other than 'root' since
24 private keys and passphrases may be stored in plaintext inside the
25 file.
26
28 The keyfile config format is a simple .ini-style format. It consists of
29 sections (groups) of key-value pairs. Each section corresponds to a
30 setting name as described in the settings specification (nm-
31 settings(5)). Each configuration key/value pair in the section is one
32 of the properties listed in the settings specification. The majority of
33 properties of the specification is written in the same format into the
34 keyfile too. However some values are inconvenient for people to use.
35 These are stored in the files in more readable ways. These properties
36 are described below. An example could be IP addresses that are not
37 written as integer arrays, but more reasonably as "1.2.3.4/12
38 1.2.3.254". More information of the generic key file format can be
39 found at GLib key file format[1] (Lines beginning with a '#' are
40 comments, lists are separated by character ; etc.).
41 Users can create or modify the keyfile connection files manually, even
43 if that is not the recommended way of managing the profiles. However,
44 if they choose to do that, they must inform NetworkManager about their
45 changes (for example via nmcli con (re)load).
46 Examples of keyfile configuration.
48 A sample configuration for an ethernet network:
50 [connection]
51 id=Main eth0
52 uuid=27afa607-ee36-43f0-b8c3-9d245cdc4bb3
53 type=802-3-ethernet
54 autoconnect=true
55 [ipv4]
57 method=auto
58 [802-3-ethernet]
60 mac-address=00:23:5a:47:1f:71
61 A sample configuration for WPA-EAP (PEAP with MSCHAPv2) and always-ask secret:
65 [connection]
66 id=CompanyWIFI
67 uuid=cdac6154-a33b-4b15-9904-666772cfa5ee
68 type=wifi
69 autoconnect=false
70 [wifi]
72 ssid=CorpWLAN
73 mode=infrastructure
74 security=802-11-wireless-security
75 [wifi-security]
77 key-mgmt=wpa-eap
78 [ipv4]
80 method=auto
81 [ipv6]
83 method=auto
84 [802-1x]
86 eap=peap;
87 identity=joe
88 ca-cert=/home/joe/.cert/corp.crt
89 phase1-peapver=1
90 phase2-auth=mschapv2
91 password-flags=2
92 A sample configuration for openvpn:
96 [connection]
97 id=RedHat-openvpn
98 uuid=7f9b3356-b210-4c0e-8123-bd116c9c280f
99 type=vpn
100 timestamp=1385401165
101 [vpn]
103 service-type=org.freedesktop.NetworkManager.openvpn
104 connection-type=password
105 password-flags=3
106 remote=ovpn.my-company.com
107 cipher=AES-256-CBC
108 reneg-seconds=0
109 port=443
110 username=joe
111 ca=/etc/openvpn/ISCA.pem
112 tls-remote=ovpn.my-company.com
113 [ipv6]
115 method=auto
116 [ipv4]
118 method=auto
119 ignore-auto-dns=true
120 never-default=true
121 A sample configuration for a bridge and a bridge port:
125 [connection] [connection]
126 id=MainBridge id=br-port-1
127 uuid=171ae855-a0ab-42b6-bd0c-60f5812eea9d uuid=d6e8ae98-71f8-4b3d-9d2d-2e26048fe794
128 interface-name=MainBridge interface-name=em1
129 type=bridge type=ethernet
130 master=MainBridge
131 [bridge] slave-type=bridge
132 interface-name=MainBridge
133 A sample configuration for a VLAN:
137 [connection]
138 id=VLAN for building 4A
139 uuid=8ce1c9e0-ce7a-4d2c-aa28-077dda09dd7e
140 interface-name=VLAN-4A
141 type=vlan
142 [vlan]
144 interface-name=VLAN-4A
145 parent=eth0
146 id=4
147
150 keyfile plugin variables for the majority of NetworkManager properties
151 have one-to-one mapping. It means a NetworkManager property is stored
152 in the keyfile as a variable of the same name and in the same format.
153 There are several exceptions to this rule, mainly for making keyfile
154 syntax easier for humans. The exceptions handled specially by keyfile
155 plugin are listed below. Refer to nm-settings(5) for all available
156 settings and properties and their description.
157 Name aliases. Some of the NetworkManager setting names are somewhat
159 hard to type or remember. Therefore keyfile introduces aliases that can
160 be used instead of the names.
161 setting name keyfile alias
162 802-3-ethernet = ethernet
163 802-11-wireless = wifi
164 802-11-wireless-security = wifi-security
165 Table 1. 802-11-wireless setting (section)
167 ┌──────────────────────┬──────────────────┬───────────────────────┬─────────────────────────────────────┐
168 │Property │ Keyfile Variable │ Format │ Description │
169 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
170 │ssid │ │ string (or │ SSID of Wi-Fi │
171 │ │ │ decimal-byte │ network. │
172 │ │ │ list - obsolete) │ │
173 │ │ │ │ Example: │
174 │ │ │ │ ssid=Quick Net │
175 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
176 │mac-address │ │ usual │ MAC address in │
177 │ │ │ hex-digits-and-colons │ traditional │
178 │ │ │ notation │ hex-digits-and-colons │
179 │ │ │ │ notation (e.g. │
180 │ │ │ │ 00:22:68:12:79:A2), │
181 │ │ │ │ or semicolon │
182 │ │ │ │ separated list │
183 │ │ │ │ of 6 bytes │
184 │ │ │ │ (obsolete) (e.g. │
185 │ │ │ │ 0;34;104;18;121;162). │
186 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
187 │cloned-mac-address │ │ usual │ Cloned MAC address in │
188 │ │ │ hex-digits-and-colons │ traditional │
189 │ │ │ notation │ hex-digits-and-colons │
190 │ │ │ │ notation (e.g. │
191 │ │ │ │ 00:22:68:12:79:B2), │
192 │ │ │ │ or semicolon │
193 │ │ │ │ separated list of 6 │
194 │ │ │ │ bytes (obsolete) │
195 │ │ │ │ (e.g. │
196 │ │ │ │ 0;34;104;18;121;178). │
197 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
198 │mac-address-blacklist │ │ list of MACs │ MAC address │
199 │ │ │ (separated with │ blacklist. │
200 │ │ │ semicolons) │ │
201 │ │ │ │ Example: │
202 │ │ │ │ mac-address-blacklist= │
203 │ │ │ │ 00:22:68:12:79:A6;00:22:68:12:79:78 │
204 └──────────────────────┴──────────────────┴───────────────────────┴─────────────────────────────────────┘
205 Table 2. 802-3-ethernet setting (section)
207 ┌──────────────────────┬──────────────────┬───────────────────────┬─────────────────────────────────────┐
208 │Property │ Keyfile Variable │ Format │ Description │
209 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
210 │mac-address │ │ usual │ MAC address in │
211 │ │ │ hex-digits-and-colons │ traditional │
212 │ │ │ notation │ hex-digits-and-colons │
213 │ │ │ │ notation (e.g. │
214 │ │ │ │ 00:22:68:12:79:A2), │
215 │ │ │ │ or semicolon │
216 │ │ │ │ separated list │
217 │ │ │ │ of 6 bytes │
218 │ │ │ │ (obsolete) (e.g. │
219 │ │ │ │ 0;34;104;18;121;162) │
220 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
221 │cloned-mac-address │ │ usual │ Cloned MAC address in │
222 │ │ │ hex-digits-and-colons │ traditional │
223 │ │ │ notation │ hex-digits-and-colons │
224 │ │ │ │ notation (e.g. │
225 │ │ │ │ 00:22:68:12:79:B2), │
226 │ │ │ │ or semicolon │
227 │ │ │ │ separated list of 6 │
228 │ │ │ │ bytes (obsolete) │
229 │ │ │ │ (e.g. │
230 │ │ │ │ 0;34;104;18;121;178). │
231 ├──────────────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────┤
232 │mac-address-blacklist │ │ list of MACs │ MAC address │
233 │ │ │ (separated with │ blacklist. │
234 │ │ │ semicolons) │ │
235 │ │ │ │ Example: │
236 │ │ │ │ mac-address-blacklist= │
237 │ │ │ │ 00:22:68:12:79:A6;00:22:68:12:79:78 │
238 └──────────────────────┴──────────────────┴───────────────────────┴─────────────────────────────────────┘
239 Table 3. bridge setting (section)
241 ┌────────────┬──────────────────┬───────────────────────┬──────────────────────────────────┐
242 │Property │ Keyfile Variable │ Format │ Description │
243 ├────────────┼──────────────────┼───────────────────────┼──────────────────────────────────┤
244 │mac-address │ │ usual │ MAC address in │
245 │ │ │ hex-digits-and-colons │ traditional │
246 │ │ │ notation │ hex-digits-and-colons │
247 │ │ │ │ notation, or │
248 │ │ │ │ semicolon │
249 │ │ │ │ separated list │
250 │ │ │ │ of 6 decimal │
251 │ │ │ │ bytes (obsolete) │
252 │ │ │ │ │
253 │ │ │ │ Example: │
254 │ │ │ │ mac-address=00:22:68:12:79:A2 │
255 │ │ │ │ mac-address=0;34;104;18;121;162; │
256 └────────────┴──────────────────┴───────────────────────┴──────────────────────────────────┘
257 Table 4. infiniband setting (section)
259 ┌────────────┬──────────────────┬───────────────────────┬─────────────────────────────────────────────────────────────┐
260 │Property │ Keyfile Variable │ Format │ Description │
261 ├────────────┼──────────────────┼───────────────────────┼─────────────────────────────────────────────────────────────┤
262 │mac-address │ │ usual │ MAC address in │
263 │ │ │ hex-digits-and-colons │ traditional │
264 │ │ │ notation │ hex-digits-and-colons │
265 │ │ │ │ notation, or or │
266 │ │ │ │ semicolon │
267 │ │ │ │ separated list │
268 │ │ │ │ of 20 decimal │
269 │ │ │ │ bytes (obsolete) │
270 │ │ │ │ │
271 │ │ │ │ Example: │
272 │ │ │ │ mac-address= │
273 │ │ │ │ 80:00:00:6d:fe:80:00:00:00:00:00:00:00:02:55:00:70:33:cf:01 │
274 └────────────┴──────────────────┴───────────────────────┴─────────────────────────────────────────────────────────────┘
275 Table 5. ipv4 setting (section)
277 ┌──────────┬──────────────────┬─────────────────────────────┬───────────────────────────────┐
278 │Property │ Keyfile Variable │ Format │ Description │
279 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
280 │dns │ │ list of DNS IP │ List of DNS │
281 │ │ │ addresses │ servers. │
282 │ │ │ │ │
283 │ │ │ │ Example: │
284 │ │ │ │ dns=1.2.3.4;8.8.8.8;8.8.4.4; │
285 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
286 │addresses │ address1, │ address/plen │ List of static IP addresses. │
287 │ │ address2, ... │ │ │
288 │ │ │ │ Example: │
289 │ │ │ │ address1=192.168.100.100/24 │
290 │ │ │ │ address2=10.1.1.5/24 │
291 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
292 │gateway │ gateway │ string │ Gateway IP addresses as a │
293 │ │ │ │ string. │
294 │ │ │ │ │
295 │ │ │ │ Example: │
296 │ │ │ │ gateway=192.168.100.1 │
297 ├──────────┼──────────────────┼─────────────────────────────┼───────────────────────────────┤
298 │routes │ route1, route2, │ route/plen[,gateway,metric] │ List of IP routes. │
299 │ │ ... │ │ │
300 │ │ │ │ Example: │
301 │ │ │ │ route1=8.8.8.0/24,10.1.1.1,77 │
302 │ │ │ │ route2=7.7.0.0/16 │
303 └──────────┴──────────────────┴─────────────────────────────┴───────────────────────────────┘
304 Table 6. ipv6 setting (section)
306 ┌──────────┬──────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
307 │Property │ Keyfile Variable │ Format │ Description │
308 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
309 │dns │ │ list of DNS IP │ List of DNS │
310 │ │ │ addresses │ servers. │
311 │ │ │ │ │
312 │ │ │ │ Example: │
313 │ │ │ │ dns=2001:4860:4860::8888;2001:4860:4860::8844; │
314 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
315 │addresses │ address1, │ address/plen │ List of static IP addresses. │
316 │ │ address2, ... │ │ │
317 │ │ │ │ Example: address1=abbe::cafe/96 │
318 │ │ │ │ address2=2001::1234 │
319 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
320 │gateway │ gateway │ string │ Gateway IP addresses as a string. │
321 │ │ │ │ │
322 │ │ │ │ Example: gateway=abbe::1 │
323 ├──────────┼──────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
324 │routes │ route1, route2, │ route/plen[,gateway,metric] │ List of IP routes. │
325 │ │ ... │ │ │
326 │ │ │ │ Example: │
327 │ │ │ │ route1=2001:4860:4860::/64,2620:52:0:2219:222:68ff:fe11:5403 │
328 └──────────┴──────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘
329 Table 7. serial setting (section)
331 ┌─────────┬──────────────────┬──────────────────┬─────────────────┐
332 │Property │ Keyfile Variable │ Format │ Description │
333 ├─────────┼──────────────────┼──────────────────┼─────────────────┤
334 │parity │ │ 'e', 'o', or 'n' │ The connection │
335 │ │ │ │ parity; even, │
336 │ │ │ │ odd, or none. │
337 │ │ │ │ Note that older │
338 │ │ │ │ versions of │
339 │ │ │ │ NetworkManager │
340 │ │ │ │ stored this as │
341 │ │ │ │ an integer: 69 │
342 │ │ │ │ ('E') for even, │
343 │ │ │ │ 111 ('o') for │
344 │ │ │ │ odd, or 110 │
345 │ │ │ │ ('n') for none. │
346 │ │ │ │ │
347 │ │ │ │ Example: │
348 │ │ │ │ parity=n │
349 └─────────┴──────────────────┴──────────────────┴─────────────────┘
350 Table 8. vpn setting (section)
352 ┌─────────┬──────────────────┬────────┬───────────────────────┐
353 │Property │ Keyfile Variable │ Format │ Description │
354 ├─────────┼──────────────────┼────────┼───────────────────────┤
355 │data │ separate │ │ The keys of the │
356 │ │ variables named │ │ data dictionary │
357 │ │ after keys of │ │ are used as │
358 │ │ the dictionary │ │ variable names │
359 │ │ │ │ directly under │
360 │ │ │ │ [vpn] section. │
361 │ │ │ │ │
362 │ │ │ │ Example: │
363 │ │ │ │ remote=ovpn.corp.com │
364 │ │ │ │ cipher=AES-256-CBC │
365 │ │ │ │ username=joe │
366 ├─────────┼──────────────────┼────────┼───────────────────────┤
367 │secrets │ separate │ │ The keys of the │
368 │ │ variables named │ │ secrets dictionary │
369 │ │ after keys of │ │ are used as variable │
370 │ │ the dictionary │ │ names directly under │
371 │ │ │ │ [vpn-secrets] │
372 │ │ │ │ section. │
373 │ │ │ │ │
374 │ │ │ │ Example: │
375 │ │ │ │ password=Popocatepetl │
376 └─────────┴──────────────────┴────────┴───────────────────────┘
377 Table 9. wifi-p2p setting (section)
379 ┌─────────┬──────────────────┬───────────────────────┬───────────────────────┐
380 │Property │ Keyfile Variable │ Format │ Description │
381 ├─────────┼──────────────────┼───────────────────────┼───────────────────────┤
382 │peer │ │ usual │ MAC address in │
383 │ │ │ hex-digits-and-colons │ traditional │
384 │ │ │ notation │ hex-digits-and-colons │
385 │ │ │ │ notation (e.g. │
386 │ │ │ │ 00:22:68:12:79:A2), │
387 │ │ │ │ or semicolon │
388 │ │ │ │ separated list │
389 │ │ │ │ of 6 bytes │
390 │ │ │ │ (obsolete) (e.g. │
391 │ │ │ │ 0;34;104;18;121;162). │
392 └─────────┴──────────────────┴───────────────────────┴───────────────────────┘
393 Table 10. wpan setting (section)
395 ┌────────────┬──────────────────┬───────────────────────┬───────────────────────────┐
396 │Property │ Keyfile Variable │ Format │ Description │
397 ├────────────┼──────────────────┼───────────────────────┼───────────────────────────┤
398 │mac-address │ │ usual │ MAC address in │
399 │ │ │ hex-digits-and-colons │ hex-digits-and-colons │
400 │ │ │ notation │ notation (e.g. │
401 │ │ │ │ 76:d8:9b:87:66:60:84:ee). │
402 └────────────┴──────────────────┴───────────────────────┴───────────────────────────┘
403 Secret flags
405 Each secret property in a NetworkManager setting has an associated
406 flags property that describes how to handle that secret. In the keyfile
407 plugin, the value of -flags variable is a decimal number (0 - 7)
408 defined as a sum of the following values:
409 • 0 - (NM owned) - the system is responsible for providing and
411 storing this secret.
412 • 1 - (agent-owned) - a user-session secret agent is responsible for
414 providing and storing this secret; when it is required, agents will
415 be asked to provide it.
416 • 2 - (not-saved) - this secret should not be saved but should be
418 requested from the user each time it is required.
419 • 4 - (not-required) - in some situations it cannot be automatically
421 determined that a secret is required or not. This flag hints that
422 the secret is not required and should not be requested from the
423 user.
424
426 /etc/NetworkManager/system-connections/*
427
429 nm-settings(5), nm-settings-ifcfg-rh(5), NetworkManager(8),
430 NetworkManager.conf(5), nmcli(1), nmcli-examples(7)
431
433 1. GLib key file format
434 https://developer.gnome.org/glib/stable/glib-Key-value-file-parser.html#glib-Key-value-file-parser.description
435NetworkManager 1.44.2 NM-SETTINGS-KEYFILE(5)