Le 16/08/2015 08:11, Laurent Bercot a écrit :
> On 16/08/2015 06:53, Steve Litt wrote:
>> The toughest part is how to store the passwords in a way that isn't a
>> security problem.
>
> Unfortunately, /etc/wpa_supplicant.conf doesn't have an include feature
> (which is strange, because hostapd supports a wpa_psk_file option).
> So you have to store the passwords (or the equivalent binary PSKs) in
> the
> configuration file, and make this file readable only from root - which
> means
> you need a small suid root binary to write the whole configuration file.
>
> Password security isn't a problem that you can fix at the interface
> level,
> it's something that must be tightly integrated with the tool that uses
> the
> password - and there's no doubt wpa_supplicant could do better here.
>
wpa_supplicant.conf contains very little apart from the authentication
information for the various wifi stations, therefore there is little need to
put the passwords in different files.
Wpa_gui discovers the properties of the stations (crypting and
authentication
methods) and prompts you for the passwords. Then it passes all
connection and
authentication information to wpa_supplicant, which stores them. I bet the
same is possible with wpa_cli and wpa_actions, which are packaged with
wpa_supplicant.
I have made my wpa_gui suid, but I just read the following in 'man
wpa_cli':
# The control interface of wpa_supplicant can be configured to
allow non-root user access
# (ctrl_interface GROUP= parameter in the configuration file). This
makes it possible to run wpa_cli
# with a normal user account.
Just 'adduser myself wifigroup'
Didier