cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] security fix clear text password in linux script eduroam

From: "Rademaker,Hans J.G." <h.rademaker AT fontys.nl>
To: Stefan Winter <stefan.winter AT restena.lu>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Cc: "Visser,Ramon R.D." <r.visser AT fontys.nl>
Subject: Re: [[cat-users]] security fix clear text password in linux script eduroam
Date: Tue, 19 Dec 2017 09:10:51 +0000
Accept-language: en-GB, en-US

Hi Stefan, I agree, and thanks for the explanations.

If it's against the documentation then you should not implement it,
regardless if it is working or not.

And it is not relevant any more, I guess. The preferred way is wpa_cli, for
it's reliability.
The clear text password is also in $HOME, not in /etc, making it even less
secure, so it needs to go. I'll have a go at wpa_cli.

Met vriendelijke groet,
[fontys.png]<http://www.fontys.nl/>

Hans Rademaker • Dienst IT • Fontys Hogescholen
[linux.png]
Ik werk niet op vrijdag • 0885073070
Handleidingen en handige links:
Handleidingen<https://connect.fontys.nl/diensten/IT/handleidingen> •
Leslokalen<https://connect.fontys.nl/diensten/IT/handleidingen/Paginas/Audio_visuele_middelen.aspx>
• Office Hulp<https://support.office.com/nl-be> •
Webwinkel<https://connect.fontys.nl/diensten/IT/it-webwinkel> •
Storingen<https://allesoverict.fontys.nl/pages/StoringenOnderhoud.aspx> •
Office365-Training<https://support.office.com/nl-nl/article/Office-trainingscentrum-b8f02f81-ec85-4493-a39b-4c48e6bc4bfb?ui=nl-NL&rs=nl-NL&ad=NL>

On 19-12-17 08:26, Stefan Winter wrote:

Hi again,

Normal passwords aren't dependent on an SSID, and I don't know from the
top of my head if the 256-bit PSK generated from WPA passphrases is
reversible to get the cleartext back. (Apparently it is, otherwise your
storing of a password with this method wouldn't work...)

Not that I care much about PSK-based networks ;-) but I found that too
suspicious to not look it up. Wikipedia quickly gave away:

"This key may be entered either as a string of 64 hexadecimal digits, or
as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII
characters are used, the 256 bit key is calculated by applying the
PBKDF2 key derivation function to the passphrase, using the SSID as the
salt and 4096 iterations of HMAC-SHA1."

With PBKDF2 and 4096 times HMAC-SHA1 it is really impossible to recover
the original password from the hash (which would be needed for
TTLS-PAP). The hash is also incompatible with MSCHAPv2 (which would be
needed for PEAP).

So, whatever it is that wpa_passphrase is doing on your box, it's
against the documentation and not very logical.

Greetings,

Stefan Winter

========================================================== Op deze e-mail
zijn de volgende voorwaarden van toepassing: http://www.fontys.nl/disclaimer
The above disclaimer applies to this e-mail message.

[[cat-users]] security fix clear text password in linux script eduroam, Visser,Ramon R.D., 12/18/2017
- Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/18/2017
  - Re: [[cat-users]] security fix clear text password in linux script eduroam, Tomasz Wolniewicz, 12/18/2017
    - Re: [[cat-users]] security fix clear text password in linux script eduroam, Alan Buxey, 12/18/2017
  - Re: [[cat-users]] security fix clear text password in linux script eduroam, Rademaker,Hans J.G., 12/18/2017
    - Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
      - Re: [[cat-users]] security fix clear text password in linux script eduroam, Stefan Winter, 12/19/2017
        
        Re: [[cat-users]] security fix clear text password in linux script eduroam, Rademaker,Hans J.G., 12/19/2017
    - Re: [[cat-users]] security fix clear text password in linux script eduroam, Alan Buxey, 12/19/2017