You are not logged in.

#1 2013-03-19 22:40:14

kinghajj
Member
Registered: 2008-07-15
Posts: 33

[solved] Make a netcfg that doesn't keep password in plain text?

I've found a netcfg configuration that successfully connects to my university's wireless APs. The problem is that this requires my password to be in plain text, which is problematic for a laptop, especially when the OS drive is external. Is there any way to get netcfg to prompt for the username and/or password when one attempts to use a profile?

Here's a redacted version of the profile.

CONNECTION='wireless'
DESCRIPTION='My university's wireless'
INTERFACE='wlp2s0'
SECURITY='wpa-configsection'
ESSID=<hmmm>
IP='dhcp'
CONFIGSECTION='
	ssid="<hmmm>"
	key_mgmt=WPA-EAP
	eap=PEAP
	group=CCMP
	pairwise=CCMP
	identity="<uhhh...>"
	password="<no thank you!>"
	priority=1
	ca_path="/etc/ssl/certs"
	phase2="auth=MSCHAPV2"
  '

Edit: solution is to store the NT hash of the password, as Gusar suggested.

Last edited by kinghajj (2013-03-20 03:04:10)

Offline

#2 2013-03-19 22:52:49

Army
Member
Registered: 2007-12-07
Posts: 1,784

Re: [solved] Make a netcfg that doesn't keep password in plain text?

(e)ssid is eduroam, right? wink

I don't know a solution, but for now you can ensure that only root can read the file.

chmod 0600 /path/to/file

Offline

#3 2013-03-19 22:55:59

kinghajj
Member
Registered: 2008-07-15
Posts: 33

Re: [solved] Make a netcfg that doesn't keep password in plain text?

Nope, not eduroam. And that solution would only help stop online attacks; it wouldn't stop someone from stealing the drive and accessing its contents.

Offline

#4 2013-03-19 22:57:56

Gusar
Member
Registered: 2009-08-25
Posts: 3,452

Re: [solved] Make a netcfg that doesn't keep password in plain text?

you can use the nt4 hash of the password instead of plain text: https://bbs.archlinux.org/viewtopic.php … 2#p1125232

Offline

#5 2013-03-19 23:00:38

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,688
Website

Re: [solved] Make a netcfg that doesn't keep password in plain text?

This is basically why I wrote fipolate. Check the example section on the project page to see how to create an input WPA configuration file, then start with the wireless-wpa-config example profile in /etc/network.d/examples to create your profile. Change the WPA_CONF parameter to the output path you used with fipolate.

My own setup uses a script to set up the file with fipolate before starting the profile. Note that you can save the interpolated file to a plaintext file on a ramdisk with restricted permissions instead of using a fifo. Either way, it's won't be written to the disk and will be gone once the system is off. The only difference is that the fifo output will disappear as soon as fipolate is terminated whereas the ramdisk file will persist until you remove it or reboot.

Offline

#6 2013-03-19 23:01:41

HalosGhost
Member
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 1,486
Website

Re: [solved] Make a netcfg that doesn't keep password in plain text?

You can also use psk hashes if you'd prefer. Both netcfg (I believe) and netctl (I know) support it. Man pages are your friends.

All the best,

-HG


"All errors are ᴘᴇʙᴋᴀᴄ errors—It's just a matter of narrowing down which keyboard and chair." -Trilby
\ldots

Offline

#7 2013-03-19 23:09:18

Gusar
Member
Registered: 2009-08-25
Posts: 3,452

Re: [solved] Make a netcfg that doesn't keep password in plain text?

HalosGhost wrote:

You can also use psk hashes if you'd prefer.

He's not using psk, he's using mschapv2 authentication. So it's either plain text or nt4 hash.

Offline

#8 2013-03-19 23:09:32

progandy
Member
Registered: 2012-05-17
Posts: 2,151

Re: [solved] Make a netcfg that doesn't keep password in plain text?

The profile gets sourced, so you should be able to use bash commands in order to set the password (e.g call systemd-ask-password)
Edit: Sorry, it does not work. The profile gets sourced too often.
Edit: You should consider to use encrypted partitions for your sensitive data including passwords.

Last edited by progandy (2013-03-19 23:27:17)

Offline

#9 2013-03-19 23:27:45

kinghajj
Member
Registered: 2008-07-15
Posts: 33

Re: [solved] Make a netcfg that doesn't keep password in plain text?

Using the NT hash worked, thanks Gusar!

Offline

#10 2013-03-20 00:32:11

HalosGhost
Member
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 1,486
Website

Re: [solved] Make a netcfg that doesn't keep password in plain text?

Gusar wrote:
HalosGhost wrote:

You can also use psk hashes if you'd prefer.

He's not using psk, he's using mschapv2 authentication. So it's either plain text or nt4 hash.

Ahh, good call.

All the best,

-HG


"All errors are ᴘᴇʙᴋᴀᴄ errors—It's just a matter of narrowing down which keyboard and chair." -Trilby
\ldots

Offline

#11 2013-04-08 07:32:04

Jindur
Member
Registered: 2011-09-29
Posts: 184

Re: [solved] Make a netcfg that doesn't keep password in plain text?

My netcfg file looks different for some reason, it doesn't have all that CONFIGSECTION stuff, but instead:

CONNECTION='wireless'
DESCRIPTION='Automatically generated profile by wifi-menu'
INTERFACE='wlp5s0'
SECURITY='wpa'
ESSID=networkname
IP='dhcp'
KEY=blablabla

Anyway so I tried to replace KEY=blablabla by KEY=hash:<nthashhere> (without '<' '>' of course) so it looks now similar to

KEY=hash:012345678901234567890123456789ab

where I generated the nthashhere via

echo -n $1 | iconv -t utf16le | openssl md4

but I always get authentication failure. It only works if I use plaintext key.

Now I changed it to SECURITY='wpa-configsection' and added

CONFIGSECTION='
    ssid="netname"
    psk="blabla"

which works fine with plaintext password. But when I try

psk="hash:...."

I get authentication failure again.
Does hash no longer work/not work with wpa2?

Last edited by Jindur (2013-04-08 08:03:03)

Offline

#12 2013-04-08 07:47:11

Gusar
Member
Registered: 2009-08-25
Posts: 3,452

Re: [solved] Make a netcfg that doesn't keep password in plain text?

What's wrong is that you're using PSK, whereas this thread is about MSCHAPv2 authentication. Completely different thing.

To create a PSK hash, use wpa_passphrase.

Offline

#13 2013-04-08 08:05:46

Jindur
Member
Registered: 2011-09-29
Posts: 184

Re: [solved] Make a netcfg that doesn't keep password in plain text?

oh thanks, works now! smile

Offline

#14 2013-04-08 08:13:20

Jindur
Member
Registered: 2011-09-29
Posts: 184

Re: [solved] Make a netcfg that doesn't keep password in plain text?

nvm

Last edited by Jindur (2013-04-08 08:13:44)

Offline

Board footer

Powered by FluxBB