New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/manual: document WPA2 enterprise configuration when declaratively configuring wifi networks #48476
Conversation
|
||
To avoid leaking your cleartext-password, <literal>wpa_supplicant.conf</literal> allows to | ||
specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>. | ||
Such a password can be a an NTLM password which can be generated with the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an an
too much:
- Such a password can be a an NTLM password which can be generated with the following command:
+ Such a password can be a NTLM password which can be generated with the following command:
specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>. | ||
Such a password can be a an NTLM password which can be generated with the following command: | ||
<programlisting> | ||
echo -n $YOURPASSWORD | iconv -t utf16le | openssl md4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How much security does one gain from md4
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, hit the wrong button.
Please give me time until tomorrow, then I’ll write a detailed answer :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I've seen it for now, this is currently the only possibility to provide hashed passwords. I just had a look at the code and unfortunately it seems as this is the only way to hash passwords and I guess that we should mention this (I just found most of the information from stackexchange threads, the Arch wiki and some playing around though).
Currently I can imagine two problematic cases:
-
A compromised Nix store: as long as Nix doesn't implement encryption capabilities for store paths the leaked configuration file is sufficient to access a WPA2 enterprise network using the victim's credentials. I do think that this can be helpful though as in several cases the users authenticated using LDAP, so the cleartext password won't be leaked (as mentioned in the previous sentence in the change, but the more I think about it the more I think that this should be mentioned in an
emphasis
in a separate paragraph.) -
The
md4
hash itself. Unfortunately I didn't find a suitable alternative and I don't know the codebase well enough to efficiently (and safely!) fix this upstream. I'd say that the measure I'm mentioning here makes it harder to leak the cleartext password, but doesn't add tru security which has to be kept in mind when using this feature.
My original intention was to document that our wireless
module allows connections to WPA-EAP networks as well (I wanted to try this out for a given network yesterday, looked into the manual where this was documented and didn't find it).
I guess that we should mention the hashing approach (there aren't too much sources mentioning it ATM), but I guess that I should make it way more explicit in my wording that this still contains risks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we should not advertise md4 as a secure alternative that can protect your password in the nix store, when this is not the case. The example itself is good though.
…ly configuring wifi networks
73e343d
to
e0b86ef
Compare
@Mic92 I updated the change, fixed the typo and added a warning regarding the md4 hash. |
Closing for now. There won't be any sufficiently satisfying solution until Nix supports encrypted store paths. |
Motivation for this change
Today, when configuring a WPA2 network for my machine I was confused as I didn't find a reference in the manual. As such networks are often used it should be explicitly documented there I think.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)