[pkg-wpa-devel] Bug#644251: Bug#644251: wpasupplicant: please make it possible to query for passphrases

Stefan Lippers-Hollmann s.L-H at gmx.de
Fri Oct 7 11:55:29 UTC 2011 

Hi

On Friday 07 October 2011, Sebastian Harl wrote:
> Hi,
> 
> On Tue, Oct 04, 2011 at 04:47:08PM +0200, Stefan Lippers-Hollmann wrote:
> > On Tuesday 04 October 2011, Sebastian Harl wrote:
> > [...]
> > > 
> > > it would be nice to be able to let wpa-supplicant query for PSKs /
> > > passphrases / whatever when configuring a network in interfaces(5). This
> > > is useful, for example, on shared notebooks or similar.
> > > 
> > > The attached patch allows to specify 'wpa-ask-pass yes' or 'wpa-ask-psk
> > > yes' in interfaces(5). The passphrase / PSK will then be read from stdin
> > > when running 'ifup <iface>'.
> > 
> > How do you imagine this to work, especially considering the auto/ allow
> > hotplug cases in /etc/network/interfaces (ifupdown integration)?
> 
> Hrm, my use-case is using 'ifup' manually once the system is up. Since
> there is no (native) support for auto-detection (afaik) of wireless
> networks, I'd imagine that I'm not the only one doing it that way. (This
> is unless you're using stuff like NM or wicd -- but in those cases my
> approach is not needed anyway. In fact it's my preferred replacement for
> those tools, which allows me to have full control over what is
> happening.)

Did you try a roaming setup with wpasupplicant?

/etc/network/interfaces:

auto lo
iface lo inet loopback

allow-hotplug wlan0
iface wlan0 inet manual
	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface work inet dhcp
iface home inet dhcp
iface favourite_pub inet dhcp
iface default inet dhcp				# catch all open nets



/etc/wpa_supplicant/wpa_supplicant.conf (or whatever you call it):

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=netdev			# optional, if you want to allow members of netdev to use wpa_gui

network={
	priority=10
	ssid="work_ssid"
	id_str="work"
	proto=WPA2
	pairwise=CCMP
	group=CCMP
	psk="<very secret>"
}

network={
	priority=25
	ssid="home_ssid"
	id_str="home"
	proto=WPA2
	pairwise=CCMP
	group=CCMP
	psk="<very secret>"
}

network={
	priority=5
	ssid="pub_ssid"
	id_str="favourite_pub"
	proto=WPA2
	pairwise=CCMP
	group=CCMP
	psk="<very secret>"
}

network={
        priority=1
        ssid=""
        key_mgmt=NONE
}


This allows automatic roaming and handover without n-m, wicd, etc., 
further info about possible configuration options is under
/usr/share/doc/wpasupplicant/ and /usr/share/doc/wpasupplicant/examples

> Anyway, I'm fully aware that my approach is not suitable for all cases
> but that's why I've added a completely new (and independent of all
> others) option to enable this.
> 
> > > The querying could also be done using zenity/kdialog/whatever -- if the
> > > general approach is fine for you, I'd be happy to modify the patch
> > > accordingly.
> > 
> > The only way I can see this patch working, is if you 
> > strictly don't use /etc/network/interfaces and exclusively invoke
> > ifup/ ifdown from a controlling terminal.
> 
> Well, using /etc/network/interfaces is still fine but the appropriate
> interfaces should not be marked 'auto*'.
> 
> In my case, I've got a few logical interfaces for "known" (wireless)
> networks and depending on where I am, I'm brining up the appropriate
> logical interface using 'ifup'.
> 
> > Looking at your 
> > zenity/kdialog/whatever suggestion it would even have to share the 
> > MIT X11 session cookie to be able to display your X11 based dialog, 
> > which would be totally impossible to invoke from ifupdown.
> 
> Hrm, why would that be impossible? You can still run ifup/ifdown from
> some X-terminal. My zenity/kdialog/whatever suggestion was meant to be
> optional, i.e., I'd check if some X11 display and session cookie would
> be available and fall back to 'read' (and possibly an error message if
> there is no controlling tty) else.

It would be unsuitable for the, imho, most common cases (ignoring 
network-manager setups, but you couldn't use those in combination with 
your proposed patch either) of starting the wlan interface (or roaming)
through /etc/network/interfaces and auto/ allow-hotplug stanzas while 
booting. 

The remaining use case is so specialized:

- must not use auto/ allow-hotplug in /e/n/i
- using a controlling terminal, ideally with X access, in an 
  interactive way is mandatory
- ESSID (usually short) is fixed, but the psk (hopefully long and 
  complex, 63 characters ASCII or 64 hexadecimal digits) needs to be 
  typed every time

that I personally don't consider this to be a viable option for the 
wpasupplicant packages in Debian, because potential users will expect
it to work with auto/ allow-hotplug on boot (similar to booting from an
encrypted rootfs). Especially considering that this functionality could
be provided by relatively simple scripting (add a new network 
definition and switch to it, but don't save it to the config) with 
wpa_cli - if the roaming mode doesn't cover this already.

> > For this particular use case of not storing a psk to disk, wouldn't it 
> > be easier to use wpa_cli or wpa_gui instead, or to make use of a higher
> > level networking interface (e.g. network-manager, wicd, or a simple 
> > custom tools or dæmon making use of wpasupplicant's D-Bus interface)?
> 
> Well, I don't like NM, wicd or other stuff doing certain kinds of magic
> in the background. That's why I like being able to define logical
> interfaces in interfaces(5) and decide on my own, which configuration to
> use. Imho, that's the easiest approach to solving my use case.

I don't like those either, less because of their "magic", but rather 
because of their dependencies (D-Bus) and what I consider massive bugs
(not configurable without X or in and editor, connections might drop
on upgrade (lovely, if you're upgrading over ssh/ wlan, etc. pp.), but
wpasupplicant's roaming mode works fine for me, including very complex
setups and IEEE80211X.

> As mentioned above, I'm fully aware that this does not fit all use-cases
> but imho my approach does not interfere with anything else and others
> might benefit from that as well -- that's why I proposed to include it
> in the package.
[...]

Given how special your proposed operating mode would be and considering
its technical limitations (controlling terminal), I would prefer not 
add this to the generic wpasupplicant package in Debian. Also because
I'm conviced that there would be better approaches to accomplish this
(wpa_cli, either by hand or with rather simple scripting).

(interactive) wpa_cli example, but this could also be scripted:

> add_network
4
> set_network 4 ssid "foo"
OK
> set_network 4 psk "secret"
OK
> enable_network 4
OK
> save_config		# optional, if you want to save this new network
OK

Regards
	Stefan Lippers-Hollmann

More information about the Pkg-wpa-devel mailing list