cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tomasz Wolniewicz <twoln AT umk.pl>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] security fix clear text password in linux script eduroam
- Date: Mon, 18 Dec 2017 18:26:38 +0100
Hi,
I think that we should put the security approach into a proper
perspective. User's password can be recovered with the network manager
interface. The default behaviour of the user interface is to save the
password for all users, which results in saving it in plaintext in one
of the system files. I think that in general if your machine is
compromised then you really cannot assume that any of your saved
passwords are safe.
I do not think that the user-only readable file with plaintext password
is much less secure then other approaches.
Tomasz
W dniu 18.12.2017 o 16:46, Stefan Winter pisze:
> Hi,
>
>> A colleague of me has made an suggestion for an more secure Linux
>> configuration in case the first option based with python script fails.
>>
>>
>>
>> I tried to translate his explanation: in case the first method fails the
>> tools starts a second procedure with shell scripting.
>>
>> With this method the password is stored in plaintext in the
>> wpa_supplicant config file. Users are informed about this during the
>> installation.
>>
>>
>>
>> Following my colleague there is an standard tool included in the
>> wpa_supplicant suite which can hash the password in the component
>> "wpa_passphrase".
>>
>> This has been added in rules 407 en 420 of the attachment.
> This doesn't look correct to me: the manpage of wpa_passphrase speaks of
> WPA2-PSK and not about user passwords:
>
>
> man 8 wpa_passphrase:
>
> wpa_passphrase - Generate a WPA PSK from an ASCII passphrase for a SSID
>
>> Can this be helpful for the developers?
> If it were assured that this function actually works with user
> passwords, not PSKs, then maybe.
>
> What makes you think so? Does this really *work*?
>
> Greetings,
>
> Stefan Winter
>
--
Tomasz Wolniewicz
twoln AT umk.pl
http://www.home.umk.pl/~twoln
Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
- [[cat-users]] security fix clear text password in linux script eduroam, Visser,Ramon R.D., 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Tomasz Wolniewicz, 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Alan Buxey, 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Rademaker,Hans J.G., 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Rademaker,Hans J.G., 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Alan Buxey, 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Tomasz Wolniewicz, 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/18/2017
Archive powered by MHonArc 2.6.19.