You are not logged in.
I am connecting to eduroam using iwd (I am one of the lucky ones).
The file /var/lib/iwd/eduroam.8021x looks like:
[Security]
EAP-Method=TTLS
EAP-Identity=anonymous@myschool.edu
EAP-TTLS-CACert=/var/lib/iwd/ca.pem
EAP-TTLS-Phase2-Method=Tunneled-PAP
EAP-TTLS-Phase2-Identity=super.hero@myschool.edu
EAP-TTLS-Phase2-Password=ThanosWasRight
[Settings]
AutoConnect=true
My question is simple: How do I setup iwd so that the password is not in cleartext any more (without having to input it everytime)?
Offline
I don't beleive there is any way in practice, because even in principle, it's impossible. You could have it manipulated in some way, but it would be easily reversible. IWD needs to send the password, or some variant / manipulation of the password to connect, so it must have the password.
Why does this bother you? The file is readable only by root. If someone has root access to your system, you've got bigger issues.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
https://wiki.archlinux.org/title/Securi … encryption
You can use the psk instead of the cleartext password, but that's hardly more "secure" - afaics iwd doesn't support any password managers (which will also expose all secrets as long as they're "opened")
https://wiki.archlinux.org/title/Pam_mount allows you to eg. decrypt and mount a vault image on login and keep sensitive data there, then possibly umount it when no longer needed.
Offline
I'd actually been thinking about this issue for a while. I have systemd-homed, so I was playing with the idea of having /var/lib/iwd be a symlink to a subdirectory in my home directory and holding off on starting network services until after I logged in.
Issues I can see would be whether iwd throws a collywobble if its directory is a symlink and how to make systemd network services start after my login (which I'm thinking might be doable by having systemd start the services with PathExists= keyed to the subdirectory on my home directory.
Does that seem worth exploring as a solution to MalteseFalcon's concern?
Offline
collywobble if its directory is a symlink
=> https://man.archlinux.org/man/core/util … mount.8.en
mount -o bind …
make systemd network services start after my login … doable by having systemd start the services with PathExists=
…
/var/lib/iwd be a symlink to a subdirectory in my home directory
https://man.archlinux.org/man/community … twork.5.en
Those files live in the state directory specified by the environment variable $STATE_DIRECTORY, which is normally provided by systemd. In the absence of such an environment variable it defaults to $LIBDIR/iwd, which normally is set to /var/lib/iwd.
Offline
IWD should be able to work with a missing password line in the configuration if you have an agent registered through dbus that it can ask for it. You could write an agent (e.g. based on this) that has the passwords in some encrypted location. This dbus interface (net.connman.iwd.Agent) is also used by networkmanager and connman, so you cannot use them if you have a custom agent.
Personally, I simply encrypted my whole disk and root readable wifi passwords do not bother me.
Last edited by progandy (2021-09-30 15:40:24)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Does that seem worth exploring as a solution to MalteseFalcon's concern?
No. Nothing should be explored as a solution to the "concern" until it's clear what the concern is.
Putting up a bunch of inconvenient hurdles in the name of security is pretty foolish if they don't actually address a real security issue. The first thing that needs to be addressed is why there is a concern at all, and what potential threat the concerns is in relation to.
Last edited by Trilby (2021-09-30 15:37:06)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline