Le 16/08/2015 08:11, Laurent Bercot a écrit :
> On 16/08/2015 06:53, Steve Litt wrote:
>> The toughest part is how to store the passwords in a way that isn't a
>> security problem.
>
> Unfortunately, /etc/wpa_supplicant.conf doesn't have an include feature
> (which is strange, because hostapd supports a wpa_psk_file option).
> So you have to store the passwords (or the equivalent binary PSKs) in
> the
> configuration file, and make this file readable only from root - which
> means
> you need a small suid root binary to write the whole configuration file.
>
> Password security isn't a problem that you can fix at the interface
> level,
> it's something that must be tightly integrated with the tool that uses
> the
> password - and there's no doubt wpa_supplicant could do better here.
>

     wpa_supplicant.conf contains very little apart from the authentication
information for the various wifi stations, therefore there is little need to
put the passwords in different files.

     Wpa_gui discovers the properties of the stations (crypting and 
authentication
methods) and prompts you for the passwords. Then it passes all 
connection and
authentication information to wpa_supplicant, which stores them. I bet the
same is possible with wpa_cli and wpa_actions, which are packaged with
wpa_supplicant.

     I have made my wpa_gui suid, but I just read the following in 'man 
wpa_cli':

# The  control  interface  of  wpa_supplicant  can  be configured  to  
allow  non-root  user access
#      (ctrl_interface GROUP= parameter in the configuration file). This 
makes it possible to run wpa_cli
#      with a normal user account.

     Just 'adduser myself wifigroup'

     Didier