Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] security fix clear text password in linux script eduroam

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] security fix clear text password in linux script eduroam


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: "Rademaker,Hans J.G." <h.rademaker AT fontys.nl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Cc: "Visser,Ramon R.D." <r.visser AT fontys.nl>
  • Subject: Re: [[cat-users]] security fix clear text password in linux script eduroam
  • Date: Tue, 19 Dec 2017 08:16:29 +0100
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hi,

so if at all, we should be looking at wpa_cli if we want to do this.

Just one point on the manpage: it does get more specific further down,
and it /clearly/ goes in the wrong direction with that sentence:

"wpa_passphrase pre-computes PSK entries for network configuration
blocks of a wpa_supplicant.conf file. An ASCII passphrase and SSID are
used to generate a 256-bit PSK."

So, its input is a two-tuple of SSID and an arbitrary-length input, and
inflates it to the 256-bit input of the PSK network hashing function.

Normal passwords aren't dependent on an SSID, and I don't know from the
top of my head if the 256-bit PSK generated from WPA passphrases is
reversible to get the cleartext back. (Apparently it is, otherwise your
storing of a password with this method wouldn't work...)

So, if this works, it is much rather coincidental than working as designed.

It's fine if it works for you, but I wouldn't want to base a wider
implementation on it.

Greetings,

Stefan Winter

Am 18.12.2017 um 22:14 schrieb Rademaker,Hans J.G.:
> Hello Stefan,
>
> The man page is a very short summary. And it does not say it's not suitable
> for passwords either. It only seems to hash the authentication input,
> wether it is a psk or password seems irrelevant to my logical reasoning,
> but hey that's only me.
>
> I am using it for some years now, at fontys. With eduroam, and before that
> with our fontys essid, it's configured the same way as eduroam is.
> But don't throw it out in the open on only my account, it still needs to be
> tested at your end.
>
>
> And looking at your man page I stumbeled over a familiar link:
>
> https://wiki.archlinux.org/index.php/WPA_supplicant
> and then at the end of the article starting from "Password-related problems"
>
> There it is advised to use wpa_cli. So there is a more reliable method. I
> can see if I can script something but probably not before february. I'll
> get back to you if I have something.
>
>
> And reading a bit further:
>
> Ensure that your config uses
> phase2="auth=MSCHAPV2"
>
> Maybe have a look at line 381?
>
>
> Met vriendelijke groet,
> [fontys.png]<http://www.fontys.nl/>
>
> Hans Rademaker • Dienst IT • Fontys Hogescholen
> [linux.png]
> Ik werk niet op vrijdag • 0885073070
> Handleidingen en handige links:
> Handleidingen<https://connect.fontys.nl/diensten/IT/handleidingen> •
> Leslokalen<https://connect.fontys.nl/diensten/IT/handleidingen/Paginas/Audio_visuele_middelen.aspx>
> • Office Hulp<https://support.office.com/nl-be> •
> Webwinkel<https://connect.fontys.nl/diensten/IT/it-webwinkel> •
> Storingen<https://allesoverict.fontys.nl/pages/StoringenOnderhoud.aspx> •
> Office365-Training<https://support.office.com/nl-nl/article/Office-trainingscentrum-b8f02f81-ec85-4493-a39b-4c48e6bc4bfb?ui=nl-NL&rs=nl-NL&ad=NL>
>
>
> On 18-12-17 16:46, Stefan Winter wrote:
>
> Hi,
>
>
>
> A colleague of me has made an suggestion for an more secure Linux
> configuration in case the first option based with python script fails.
>
>
>
> I tried to translate his explanation: in case the first method fails the
> tools starts a second procedure with shell scripting.
>
> With this method the password is stored in plaintext in the
> wpa_supplicant config file. Users are informed about this during the
> installation.
>
>
>
> Following my colleague there is an standard tool included in the
> wpa_supplicant suite which can hash the password in the component
> "wpa_passphrase".
>
> This has been added in rules 407 en 420 of the attachment.
>
>
>
> This doesn't look correct to me: the manpage of wpa_passphrase speaks of
> WPA2-PSK and not about user passwords:
>
>
> man 8 wpa_passphrase:
>
> wpa_passphrase - Generate a WPA PSK from an ASCII passphrase for a SSID
>
>
>
> Can this be helpful for the developers?
>
>
>
> If it were assured that this function actually works with user
> passwords, not PSKs, then maybe.
>
> What makes you think so? Does this really *work*?
>
> Greetings,
>
> Stefan Winter
>
>
>
> ========================================================== Op deze e-mail
> zijn de volgende voorwaarden van toepassing:
> http://www.fontys.nl/disclaimer The above disclaimer applies to this e-mail
> message.
>


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page