On 16/08/2015 06:53, Steve Litt wrote:
> The toughest part is how to store the passwords in a way that isn't a
> security problem.

Unfortunately, /etc/wpa_supplicant.conf doesn't have an include feature
(which is strange, because hostapd supports a wpa_psk_file option).
So you have to store the passwords (or the equivalent binary PSKs) in the
configuration file, and make this file readable only from root - which means
you need a small suid root binary to write the whole configuration file.

Password security isn't a problem that you can fix at the interface level,
it's something that must be tightly integrated with the tool that uses the
password - and there's no doubt wpa_supplicant could do better here.

--
Laurent