You are not logged in.

#1 2020-09-11 15:40:31

cos
Member
Registered: 2020-09-11
Posts: 5

[SOLVED] wpa_cli storing plaintext passphrases

Hello,

When adding a network to a wpa_supplicant config via wpa_cli, the instructions on the wiki imply that

> set_network 0 psk "passphrase"

will hash the passphrase:

The PSK is computed from the quoted "passphrase" string, as also shown by the wpa_passphrase command. Nonetheless, you can enter the PSK directly by passing it to psk without quotes.

However, after using save_config, the new network block in the config file has psk="..." with the plaintext passphrase.

wpa_passphrase does correctly hash the passphrase as expected.

I couldn't find anyone else having this problem after searching, nor did I have any luck in the man pages, making me wonder if the issue is particular to my set up (a fairly recent fresh install).

Thank you!

Last edited by cos (2020-09-16 09:46:33)

Offline

#2 2020-09-11 16:16:29

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 24,437
Website

Re: [SOLVED] wpa_cli storing plaintext passphrases

The wpa_cli man page seems incomplete.  Under the commands it does not even include `set_network`, and under `set` the description does not match the actual behavior.  I don't see any indication that the intended behavior of wpa_cli would be to obscure a plaintext passphrase if that's what you provide - especially given that you have the option to not provide one.

So perhaps and upstream request to update / improve the man page would be justified, but other than that, all seems as intended.  You can edit your wpa_supplicant.conf to uncomment the hashed psk and delete the plain-text.

Side note: I've never understood the purposes of the hash.  I don't see that they add any security as they are not salted nor in any other way machine-specific.  If someone gets the hash they can use that just as effectively as they could the passphrase itself.  The only difference would be that the passphrase is easier to remember (assuming it is human-language pass phrase).

Last edited by Trilby (2020-09-11 16:19:59)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2020-09-15 16:01:39

cos
Member
Registered: 2020-09-11
Posts: 5

Re: [SOLVED] wpa_cli storing plaintext passphrases

Thanks for the reply, I'm glad I'm not the only one that found the man page lacking!

Regarding the wiki however, as, like you say, there is nothing in the manual/observed behaviour to suggest that wpa_cli hashes plaintext passphrases, should the line quoted in my original message be removed?

Good point RE salting; I hadn't thought of that. Would it be worth adding a warning saying as much to that page too?

Offline

#4 2020-09-15 16:05:52

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 24,437
Website

Re: [SOLVED] wpa_cli storing plaintext passphrases

I don't see anything incorrect in the wiki.

I also don't see a need for the wiki to note that hashes aren't salted.  There are infinitely many things that any bit of software doesn't do - there's no reason to explicitly list all of them.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2020-09-15 16:20:35

cos
Member
Registered: 2020-09-11
Posts: 5

Re: [SOLVED] wpa_cli storing plaintext passphrases

Am I correct in thinking the network's passphrase (plaintext) and PSK (a hash of the passphrase) are distinct? I was under the impression that:

The PSK is computed from the quoted "passphrase" string, as also shown by the wpa_passphrase command.

implied that after saving the network to the config file with save_config, it would be with the calculated hash. Am I misunderstanding the above note? Or is it just mentinoning what the PSK is as a precursor to the following, without implying that wpa_cli calculates it?

Nonetheless, you can enter the PSK directly by passing it to psk without quotes.

If so, the "also" is quite confusing!

Offline

#6 2020-09-15 16:57:50

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 24,437
Website

Re: [SOLVED] wpa_cli storing plaintext passphrases

It depends what you mean by distinct.  They can be used mostly interchangeably.  The psk is used internally as a hexidecimal string.  You can provide this hex string / hash, or if you provide anything with quotes around it, it is assumed to be a passphrase and is then the hex value is computed from that quoted string.  That's what that note is saying.  It doesn't suggest anything about what is put in the config file.

The "also" is just stating how you can see what this hex string would be as wpa_passphrase will also compute this hex string and show it to you.

But again, why do you care?  Storing the plain text passphrase in your config file is no more a security concern than storing the hex string.

If you think the wiki wording is abiguous or confusing, then by all means revise (or suggest a revision) but I don't see any factual errors.

Last edited by Trilby (2020-09-15 17:01:18)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2020-09-16 09:44:08

cos
Member
Registered: 2020-09-11
Posts: 5

Re: [SOLVED] wpa_cli storing plaintext passphrases

It doesn't suggest anything about what is put in the config file

Ah I see, I think this is what was confusing me. But like you say, it's an academic discussion without any salting.

Thanks for clearing this up!

Offline

#8 2020-09-16 12:43:42

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 24,437
Website

Re: [SOLVED] wpa_cli storing plaintext passphrases

My last sentence is sincere too - if you read this and understood it to imply something about what is saved in the config file, then perhaps a revision is called for.  I do think those notes are a bit vague - this vagueness makes it easy for them to be "not factually wrong" but also not as useful as they could be if they were written with more precision.

In order to write them with more precision, though, I'd want to make sure I was confident in exactly what wpa_cli was doing - ideally this would come from looking at the source code, but some well thought out tinkering / testing with it should reveal it's not-well-documented-in-the-man-page behavior.  In the absence of this knowledge, a somewhat vague note is better than a precise but inaccurate one.

Last edited by Trilby (2020-09-16 12:47:10)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#9 2020-09-18 12:24:55

cos
Member
Registered: 2020-09-11
Posts: 5

Re: [SOLVED] wpa_cli storing plaintext passphrases

I had a look through the source, and found the wpa_config_parse_psk function (in config.c) does indeed treat a quoted string as a passphrase and an unquoted one as a PSK.

As for saving the config to file, following the process through it does appear that the intended behaviour is to store the network block using whichever format the user entered the PSK/passphrase (I didn't think it necessary to track down the actual point at which a (stored) passphrase is transformed into a PSK).

Given the above, I think my issue with the note in the wiki is just its slightly confusing wording, I'll update it to make it more explicit.

Thanks again for your suggestions!

Edit: here's the update, hopefully that's clearer.

Last edited by cos (2020-09-18 12:40:46)

Offline

Board footer

Powered by FluxBB