wpa_supplicant store password as hash (WPA-EAP with phase2="auth=PAP")

Question

Is there a way to store my password in /etc/wpa_supplicant/wpa_supplicant.conf as some hash instead of plaintext?

By "password" I refer here to the password used for phase2 authentification. I do not refer to the Preshared Key (PSK) which could be hashed using wpa_passphrase.

For phase2 MSCHAPv2 or MSCHAP authentification I could store the password as MD4 hash using nt_password_hash (see example wpa_supplicant.conf line 659).

Is there any way to store my PAP password as hash?

Or: Is there a way to store the password in some sort of external storage? The example wpa_supplicant.conf suggests the use of such an external storage (using ext:????) but I could not find any documentation about it.

I am aware that storing the password as hash does not increase wifi security. But as the password MUST be the same as the password for other services (account management, subscriptions, payments ...) I don't want it to be stored as plaintext.

Answer 1

Unfortunately I have to answer the question myself now. "Unfortunately" because the answer is "No, it is not possible".

I took a look at how PAP is working, and came to the conclusion that it is logically impossible to store the password as a hash value.

With PAP, the username and password are sent directly to the authentification side. Therefore, the password must be known, knowing some hash is not sufficient.

Thx @tink for searching nevertheless.

But I still could not find anything about this external storage thing. Solution for me in this special case is using a unencrypted wifi (which is also provided by my university) and a VPN.