nixos/manual: document WPA2 enterprise configuration when declaratively configuring wifi networks #48476
Conversation
|
|
||
| To avoid leaking your cleartext-password, <literal>wpa_supplicant.conf</literal> allows to | ||
| specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>. | ||
| Such a password can be a an NTLM password which can be generated with the following command: |
There was a problem hiding this comment.
There is an an too much:
- Such a password can be a an NTLM password which can be generated with the following command:
+ Such a password can be a NTLM password which can be generated with the following command:
| specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>. | ||
| Such a password can be a an NTLM password which can be generated with the following command: | ||
| <programlisting> | ||
| echo -n $YOURPASSWORD | iconv -t utf16le | openssl md4 |
There was a problem hiding this comment.
How much security does one gain from md4?
There was a problem hiding this comment.
sorry, hit the wrong button.
Please give me time until tomorrow, then I’ll write a detailed answer :)
There was a problem hiding this comment.
As far as I've seen it for now, this is currently the only possibility to provide hashed passwords. I just had a look at the code and unfortunately it seems as this is the only way to hash passwords and I guess that we should mention this (I just found most of the information from stackexchange threads, the Arch wiki and some playing around though).
Currently I can imagine two problematic cases:
-
A compromised Nix store: as long as Nix doesn't implement encryption capabilities for store paths the leaked configuration file is sufficient to access a WPA2 enterprise network using the victim's credentials. I do think that this can be helpful though as in several cases the users authenticated using LDAP, so the cleartext password won't be leaked (as mentioned in the previous sentence in the change, but the more I think about it the more I think that this should be mentioned in an
emphasisin a separate paragraph.) -
The
md4hash itself. Unfortunately I didn't find a suitable alternative and I don't know the codebase well enough to efficiently (and safely!) fix this upstream. I'd say that the measure I'm mentioning here makes it harder to leak the cleartext password, but doesn't add tru security which has to be kept in mind when using this feature.
My original intention was to document that our wireless module allows connections to WPA-EAP networks as well (I wanted to try this out for a given network yesterday, looked into the manual where this was documented and didn't find it).
I guess that we should mention the hashing approach (there aren't too much sources mentioning it ATM), but I guess that I should make it way more explicit in my wording that this still contains risks.
There was a problem hiding this comment.
Yes, we should not advertise md4 as a secure alternative that can protect your password in the nix store, when this is not the case. The example itself is good though.
…ly configuring wifi networks
Ma27
force-pushed
the
document-wpa2-enterprise-config
branch
from
73e343d
to
e0b86ef
Compare
|
@Mic92 I updated the change, fixed the typo and added a warning regarding the md4 hash. |
|
Closing for now. There won't be any sufficiently satisfying solution until Nix supports encrypted store paths. |
Motivation for this change
Today, when configuring a WPA2 network for my machine I was confused as I didn't find a reference in the manual. As such networks are often used it should be explicitly documented there I think.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)