The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

so if at all, we should be looking at wpa_cli if we want to do this.

Just one point on the manpage: it does get more specific further down,
and it /clearly/ goes in the wrong direction with that sentence:

"wpa_passphrase pre-computes PSK entries for network configuration
blocks of a wpa_supplicant.conf file. An ASCII passphrase and SSID are
used to generate a 256-bit PSK."

So, its input is a two-tuple of SSID and an arbitrary-length input, and
inflates it to the 256-bit input of the PSK network hashing function.

Normal passwords aren't dependent on an SSID, and I don't know from the
top of my head if the 256-bit PSK generated from WPA passphrases is
reversible to get the cleartext back. (Apparently it is, otherwise your
storing of a password with this method wouldn't work...)

So, if this works, it is much rather coincidental than working as designed.

It's fine if it works for you, but I wouldn't want to base a wider
implementation on it.

Greetings,

Stefan Winter

Am 18.12.2017 um 22:14 schrieb Rademaker,Hans J.G.:
> Hello Stefan,
> 
> The man page is a very short summary. And it does not say it's not suitable 
> for passwords either. It only seems to hash the authentication input, 
> wether it is a psk or password seems irrelevant to my logical reasoning, 
> but hey that's only me.
> 
> I am using it for some years now, at fontys. With eduroam, and before that 
> with our fontys essid, it's configured the same way as eduroam is.
> But don't throw it out in the open on only my account, it still needs to be 
> tested at your end.
> 
> 
> And looking at your man page I stumbeled over a familiar link:
> 
> https://wiki.archlinux.org/index.php/WPA_supplicant
> and then at the end of the article starting from "Password-related problems"
> 
> There it is advised to use wpa_cli. So there is a more reliable method. I 
> can see if I can script something but probably not before february.  I'll 
> get back to you if I have something.
> 
> 
> And reading a bit further:
> 
> Ensure that your config uses
> phase2="auth=MSCHAPV2"
> 
> Maybe have a look at  line 381?
> 
> 
> Met vriendelijke groet,
> [fontys.png]<http://www.fontys.nl/>
> 
> Hans Rademaker • Dienst IT • Fontys Hogescholen                             
>                             [linux.png]
> Ik werk niet op vrijdag • 0885073070
> Handleidingen en handige links:
> Handleidingen<https://connect.fontys.nl/diensten/IT/handleidingen> • 
> Leslokalen<https://connect.fontys.nl/diensten/IT/handleidingen/Paginas/Audio_visuele_middelen.aspx>
>  • Office Hulp<https://support.office.com/nl-be> • 
> Webwinkel<https://connect.fontys.nl/diensten/IT/it-webwinkel> • 
> Storingen<https://allesoverict.fontys.nl/pages/StoringenOnderhoud.aspx> • 
> Office365-Training<https://support.office.com/nl-nl/article/Office-trainingscentrum-b8f02f81-ec85-4493-a39b-4c48e6bc4bfb?ui=nl-NL&rs=nl-NL&ad=NL>
> 
> 
> On 18-12-17 16:46, Stefan Winter wrote:
> 
> Hi,
> 
> 
> 
> A colleague of me has made an suggestion for an more secure Linux
> configuration in case the first option based with python script fails.
> 
> 
> 
> I tried to translate his explanation: in case the first method fails the
> tools starts a second procedure with shell scripting.
> 
> With this method the password is stored in plaintext in the
> wpa_supplicant config file. Users are informed about this during the
> installation.
> 
> 
> 
> Following my colleague  there is an standard tool included in the
> wpa_supplicant suite which can hash the password in the component
> "wpa_passphrase".
> 
> This has been added in rules 407 en 420  of the attachment.
> 
> 
> 
> This doesn't look correct to me: the manpage of wpa_passphrase speaks of
> WPA2-PSK and not about user passwords:
> 
> 
> man 8 wpa_passphrase:
> 
>  wpa_passphrase - Generate a WPA PSK from an ASCII passphrase for a SSID
> 
> 
> 
> Can this be helpful for the developers?
> 
> 
> 
> If it were assured that this function actually works with user
> passwords, not PSKs, then maybe.
> 
> What makes you think so? Does this really *work*?
> 
> Greetings,
> 
> Stefan Winter
> 
> 
> 
> ========================================================== Op deze e-mail 
> zijn de volgende voorwaarden van toepassing: 
> http://www.fontys.nl/disclaimer The above disclaimer applies to this e-mail 
> message.
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature