You are not logged in.

#1 2012-07-04 15:20:57

Lennex
Member
Registered: 2012-07-04
Posts: 3

Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Hi all,

I use an entry like that in my wpa_supplicant.conf to access the eduroam network:

network={   
   ssid="eduroam"
   scan_ssid=1
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="username"
   password="pass"
   phase1="peaplabel=0"
   phase2="auth=MSCHAPV2"
}

For simple WPA-PSK type networks, I can use wpa_passphrase to save only the encrypted pass phrase. Is there a possibility to encrypt the password for that configuration as well? I would rather prefer not to save this password as plaintext on my laptop, especially since it also allows access to my university e-mail etc.

Thanks
Lennex

Offline

#2 2012-07-04 15:28:30

Gusar
Member
Registered: 2009-08-25
Posts: 3,408

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

You can use

password=hash:nt_hash_of_password_here

To create the hash, I use python2-smbpasswd from AUR and this simple script:

#!/usr/bin/python2

import smbpasswd
import sys

print smbpasswd.nthash(sys.argv[1])

Edit:
I just learned of a simpler method:

echo -n password_here | iconv -t utf16le | openssl md4

Last edited by Gusar (2012-07-04 15:41:08)

Offline

#3 2012-07-04 16:20:52

Lennex
Member
Registered: 2012-07-04
Posts: 3

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Thanks a lot, Gusar!

In all the sources I have found so far, the password is always saved as plaintext only, which I find rather disturbing ...

Lennex

Offline

#4 2012-07-05 01:06:12

Trent
Member
From: Baltimore, MD (US)
Registered: 2009-04-16
Posts: 986

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

I'm reminded of ESR's rationale for plaintext passwords in .fetchmailrc...

Anybody who can read the file can use it to connect to the network anyway. Storing the password hashed doesn't protect you; you still need to protect the file.

Offline

#5 2012-07-05 09:56:33

Lennex
Member
Registered: 2012-07-04
Posts: 3

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Trent wrote:

I'm reminded of ESR's rationale for plaintext passwords in .fetchmailrc...

Anybody who can read the file can use it to connect to the network anyway. Storing the password hashed doesn't protect you; you still need to protect the file.

True, but the fact is in that particular case that with this password, you can actually do a lot more than merely connect to the Wi-Fi. For example, you could login to my account on the university's website, thus accessing personal data, bank account details and so on. As far as I know, this kind of access is only possible if you know the actual password.

Offline

#6 2012-07-05 10:02:43

Gusar
Member
Registered: 2009-08-25
Posts: 3,408

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Trent wrote:

Anybody who can read the file can use it to connect to the network anyway.

Yes, they can connect. But they can't use it to log into your mail, where you need to type in the actual password and not the hash (I'm thinking a web-based mail service here). And the password may be linked to other services too.

Edit: LOL, Lennex beat me to it smile.

Last edited by Gusar (2012-07-05 10:03:15)

Offline

#7 2012-07-05 13:15:49

Trent
Member
From: Baltimore, MD (US)
Registered: 2009-04-16
Posts: 986

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Ah, I see... missed that in your first post. My bad.

Offline

#8 2012-07-05 13:58:08

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 3,026

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

You best bet is to always properly protect that and other files with sensitive information, if anyone can get access to that file then your machine is compromised and no amount of encryption or ashing can protect you.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#9 2015-01-15 18:11:48

yiuin
Member
Registered: 2010-02-02
Posts: 15

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Just to add to this, because everyone on the internet says its impossible.... the syntax in wpa_supplicant.conf is:

network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="user@example.com"
password=hash:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=1"
phase2="auth=MSCHAPV2"
}

Last edited by yiuin (2015-01-15 18:12:21)

Offline

#10 2015-01-15 18:26:04

jasonwryan
Forum & Wiki Admin
From: .nz
Registered: 2009-05-09
Posts: 18,326
Website

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Please don't necrobump old threads: https://wiki.archlinux.org/index.php/Fo … Bumping.27


Closing


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Offline

Board footer

Powered by FluxBB