Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/manual: document WPA2 enterprise configuration when declaratively configuring wifi networks #48476

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
3 participants
@Ma27
Copy link
Member

commented Oct 15, 2018

Motivation for this change

Today, when configuring a WPA2 network for my machine I was confused as I didn't find a reference in the manual. As such networks are often used it should be explicitly documented there I think.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

nixos/doc/manual/configuration/wireless.xml Outdated

To avoid leaking your cleartext-password, <literal>wpa_supplicant.conf</literal> allows to
specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>.
Such a password can be a an NTLM password which can be generated with the following command:

This comment has been minimized.

Copy link
@Mic92

Mic92 Oct 15, 2018

Contributor

There is an an too much:

- Such a password can be a an NTLM password which can be generated with the following command: 
+ Such a password can be a NTLM password which can be generated with the following command: 
specify a hashed password using a configuration like this: <literal>password=hash:{your-hashed-password}</literal>.
Such a password can be a an NTLM password which can be generated with the following command:
<programlisting>
echo -n $YOURPASSWORD | iconv -t utf16le | openssl md4

This comment has been minimized.

Copy link
@Mic92

Mic92 Oct 15, 2018

Contributor

How much security does one gain from md4?

This comment has been minimized.

Copy link
@Ma27

Ma27 Oct 15, 2018

Author Member

sorry, hit the wrong button.
Please give me time until tomorrow, then I’ll write a detailed answer :)

This comment has been minimized.

Copy link
@Ma27

Ma27 Oct 16, 2018

Author Member

As far as I've seen it for now, this is currently the only possibility to provide hashed passwords. I just had a look at the code and unfortunately it seems as this is the only way to hash passwords and I guess that we should mention this (I just found most of the information from stackexchange threads, the Arch wiki and some playing around though).

Currently I can imagine two problematic cases:

  • A compromised Nix store: as long as Nix doesn't implement encryption capabilities for store paths the leaked configuration file is sufficient to access a WPA2 enterprise network using the victim's credentials. I do think that this can be helpful though as in several cases the users authenticated using LDAP, so the cleartext password won't be leaked (as mentioned in the previous sentence in the change, but the more I think about it the more I think that this should be mentioned in an emphasis in a separate paragraph.)

  • The md4 hash itself. Unfortunately I didn't find a suitable alternative and I don't know the codebase well enough to efficiently (and safely!) fix this upstream. I'd say that the measure I'm mentioning here makes it harder to leak the cleartext password, but doesn't add tru security which has to be kept in mind when using this feature.

My original intention was to document that our wireless module allows connections to WPA-EAP networks as well (I wanted to try this out for a given network yesterday, looked into the manual where this was documented and didn't find it).

I guess that we should mention the hashing approach (there aren't too much sources mentioning it ATM), but I guess that I should make it way more explicit in my wording that this still contains risks.

This comment has been minimized.

Copy link
@Mic92

Mic92 Oct 17, 2018

Contributor

Yes, we should not advertise md4 as a secure alternative that can protect your password in the nix store, when this is not the case. The example itself is good though.

@Ma27 Ma27 force-pushed the Ma27:document-wpa2-enterprise-config branch to e0b86ef Oct 17, 2018

@Ma27

This comment has been minimized.

Copy link
Member Author

commented Oct 17, 2018

@Mic92 I updated the change, fixed the typo and added a warning regarding the md4 hash.

@Ma27

This comment has been minimized.

Copy link
Member Author

commented Jan 10, 2019

Closing for now. There won't be any sufficiently satisfying solution until Nix supports encrypted store paths.

@Ma27 Ma27 closed this Jan 10, 2019

@Ma27 Ma27 deleted the Ma27:document-wpa2-enterprise-config branch Jan 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.