Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

passwordSecuritywpawpa-supplicant

My wpa_supplicant.conf looks like this:

network={
  ssid="Some name"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="my-user-id"
  password="(clear text password here)"
  ca_cert="/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt"
  phase2="auth=MSCHAPV2"
}

With this specific combination of WPA-EAP and MSCHAP-v2, is there a way to not include my password in clear in this configuration file?

The ChangeLog seems to claim that this is feasible (since 2005!):

* added support for storing EAP user password as NtPasswordHash instead
  of plaintext password when using MSCHAP or MSCHAPv2 for
  authentication (hash:<16-octet hex value>); added nt_password_hash
  tool for hashing password to generate NtPasswordHash

Some notes:

Using a different password is not an option, as I have no control over this network (this is a corporate network, and a single username/password is used to access all services, including connecting to the Wifi).
A word about duplicates:
- 40: use-wpa-supplicant-without-plain-text-passwords is about pre-shared keys
- 74500: wpa-supplicant-store-password-as-hash-wpa-eap-with-phase2-auth-pap uses PAP as phase-2 authentication (not MSCHAP-v2).
- 85757: store-password-as-hash-in-wpa-supplicant-conf is very similar to this question, but was (incorrectly) closed as a duplicate of 74500; unfortunately, the answers given to the purported duplicate are specific to PAP, and do not apply to the MSCHAP-v2 case. 85757 itself has an answer claiming that it's essentially impossible regardless of the protocol, but the justification is invalid¹

¹ That anser claims that using a hashed password means that the hash becomes the password. This is technically true, but at least the hash is a wifi-only password, which is significant progress over leaking a shared password granting access to multiple services.

Best Answer

Open terminal and type :

wpa_passphrase YOUR_SSID YOUR_PASSWORD

Sample output:

network={
    ssid="YOUR_SSID"
    #psk="YOUR_PASSWORD"
    psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702
}

Open the wpa_supplicant.conf file and add the following line:

psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702

Related Solutions

Custom PAM modules and security considerations

When you call into Linux-PAM for some authentication procedure, there is always one and only one stack that is run.

The stack definition is looked up in these places; the first successful attempt determines which file is read:

the file in /etc/pam.d named after the application "service name" (e.g., sshd or gdm), or
the file /etc/pam.d/other if no service-specific file exists, or
the file /etc/pam.conf if directory /etc/pam.d does not exist.

See the documentation for function pam_start for details.

The common-* files are a convention followed by many Linux distributions but are not mandated by the PAM software itself. They are usually included by other PAM files by means of @include statements; for instance the /etc/pam.d/other file on Debian has the following content:

# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session

The same @include statements may be used by service-specific file as well, and -indeed- they are in the default configuration on Debian. Note that this is a matter of configuration: a sysadmin is free to change the file in /etc/pam.d not to include any common-* files at all!

Therefore: if your PAM module is specific to your application, create an application-specific service file and call the module from there. Do not automatically add a module to other services' PAM file nor to the fall-back others file, as this may break other applications installed on the system. Management of the PAM software stack is a task for the system administrator, not for the application developers.

WPA-Supplicant Store Password as Hash for WPA-EAP with Phase2=”auth=PAP”

Unfortunately I have to answer the question myself now. "Unfortunately" because the answer is "No, it is not possible".

I took a look at how PAP is working, and came to the conclusion that it is logically impossible to store the password as a hash value.

With PAP, the username and password are sent directly to the authentification side. Therefore, the password must be known, knowing some hash is not sufficient.

Thx @tink for searching nevertheless.

But I still could not find anything about this external storage thing. Solution for me in this special case is using a unencrypted wifi (which is also provided by my university) and a VPN.

Best Answer

Related Solutions

Custom PAM modules and security considerations

WPA-Supplicant Store Password as Hash for WPA-EAP with Phase2=”auth=PAP”

Related Question