The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Ondřej Caletka <Ondrej.Caletka AT cesnet.cz>]

Hi,

I just tried using CAT for my Linux system which does not use Network
Manager. Everything worked all right, except I have been warned that my
password will be clearly visible in wpa_supplicant.conf.

I would like to point out that it is not necessary, at least not with
MSCHAPv2. WPA supplicant will happily accept NTLM hash of the password
specified as password=hash:<NTLM hash>

NTLM hash can be obtained for instance by this shell pipeline[1]:

    $ echo -n plaintext_password_here | iconv -t utf16le | openssl md4

or this Python one-liner[2]:

    $ python -c 'import getpass,hashlib;
print(hashlib.new("md4",getpass.getpass().encode("utf-16le")).hexdigest())'

Of course, there's no real security in using hash instead of password
but at least such hash is much more harder to remember for instance when
wpa_supplicant.conf is briefly observer by a third party.

It would be nice if some future version of CAT supported this hashing.

--
Best regards,

Ondřej Caletka
CESNET


[1]: http://unix.stackexchange.com/a/278948
[2]: https://gist.github.com/oskar456/f641b946bc87b28b4cb097854fe45e88

Attachment: smime.p7s
Description: Elektronicky podpis S/MIME