Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Lennex · 2012-07-04 15:20:57

Hi all,

I use an entry like that in my wpa_supplicant.conf to access the eduroam network:

network={   
   ssid="eduroam"
   scan_ssid=1
   key_mgmt=WPA-EAP
   eap=PEAP
   identity="username"
   password="pass"
   phase1="peaplabel=0"
   phase2="auth=MSCHAPV2"
}

For simple WPA-PSK type networks, I can use wpa_passphrase to save only the encrypted pass phrase. Is there a possibility to encrypt the password for that configuration as well? I would rather prefer not to save this password as plaintext on my laptop, especially since it also allows access to my university e-mail etc.

Thanks
Lennex

Gusar · 2012-07-04 15:28:30

You can use

password=hash:nt_hash_of_password_here

To create the hash, I use python2-smbpasswd from AUR and this simple script:

#!/usr/bin/python2

import smbpasswd
import sys

print smbpasswd.nthash(sys.argv[1])

Edit:
I just learned of a simpler method:

echo -n password_here | iconv -t utf16le | openssl md4

Last edited by Gusar (2012-07-04 15:41:08)

Lennex · 2012-07-04 16:20:52

Thanks a lot, Gusar!

In all the sources I have found so far, the password is always saved as plaintext only, which I find rather disturbing ...

Lennex

Trent · 2012-07-05 01:06:12

I'm reminded of ESR's rationale for plaintext passwords in .fetchmailrc...

Anybody who can read the file can use it to connect to the network anyway. Storing the password hashed doesn't protect you; you still need to protect the file.

Lennex · 2012-07-05 09:56:33

Trent wrote:

I'm reminded of ESR's rationale for plaintext passwords in .fetchmailrc...
Anybody who can read the file can use it to connect to the network anyway. Storing the password hashed doesn't protect you; you still need to protect the file.

True, but the fact is in that particular case that with this password, you can actually do a lot more than merely connect to the Wi-Fi. For example, you could login to my account on the university's website, thus accessing personal data, bank account details and so on. As far as I know, this kind of access is only possible if you know the actual password.

Gusar · 2012-07-05 10:02:43

Trent wrote:

Anybody who can read the file can use it to connect to the network anyway.

Yes, they can connect. But they can't use it to log into your mail, where you need to type in the actual password and not the hash (I'm thinking a web-based mail service here). And the password may be linked to other services too.

Edit: LOL, Lennex beat me to it .

Last edited by Gusar (2012-07-05 10:03:15)

Trent · 2012-07-05 13:15:49

Ah, I see... missed that in your first post. My bad.

R00KIE · 2012-07-05 13:58:08

You best bet is to always properly protect that and other files with sensitive information, if anyone can get access to that file then your machine is compromised and no amount of encryption or ashing can protect you.

yiuin · 2015-01-15 18:11:48

Just to add to this, because everyone on the internet says its impossible.... the syntax in wpa_supplicant.conf is:

network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="user@example.com"
password=hash:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=1"
phase2="auth=MSCHAPV2"
}

Last edited by yiuin (2015-01-15 18:12:21)

jasonwryan · 2015-01-15 18:26:04

Please don't necrobump old threads: https://wiki.archlinux.org/index.php/Fo … Bumping.27

Closing

Arch Linux

#1 2012-07-04 15:20:57

Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#2 2012-07-04 15:28:30

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#3 2012-07-04 16:20:52

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#4 2012-07-05 01:06:12

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#5 2012-07-05 09:56:33

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#6 2012-07-05 10:02:43

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#7 2012-07-05 13:15:49

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#8 2012-07-05 13:58:08

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#9 2015-01-15 18:11:48

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

#10 2015-01-15 18:26:04

Re: Do not save WPA-EAP password as plaintext in wpa_supplicant.conf

Board footer