3

This question is very much related to this one.

I want to log into a user and password protected wifi which uses PEAP and maybe MS-CHAPv2. My wpa_supplicant.conf has to contain an entry like this:

network={
    ssid="<somessid>"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="<someidentity>"
    password="<somepassword>"
}

Now, I do not want to get displayed the password (but rather have it typed in once by a buddy who knows it – I do and shall not know it), so I also do not want to have it stored in plaintext.

Is it possible to replace the password="<somepassword>" entry by a hashsum of the password, preferably generated without the password being shown? If so, how can I do it?

Do I have to create an additional hash if MS-CHAPv2 is used? (In the other answer I read something about NtPasswordHash, which didn’t yield much duckduckgo-results and couldn’t be found in the wpa_supplicant.conf man pages as suggested in the other question.)

Alternatively: Is it possible to let a buddy type in his log-in data (i.e. identity and password) only once to let me use his account only once for internettt access?

Community
  • 1
k.stm
  • 689
  • 1
  • 11
  • 24

2 Answers2

2

No, you cannot replace the password by a hash. It doesn't matter what the protocol is. The client needs to know the password, and then either it sends the password to the server, or it sends some data that proves that the client knows the password. The server can be content to know the hash of the real password, because when it receives a candidate password, it computes the hash of the candidate and compares it with the real hash. But the client has to come up with the real password.

Whatever you store in this file, in the end, the wpasupplicant program has to be able to reconstruct the password. This means that you can reconstruct the password. Your buddy cannot prevent you from learning the password unless he doesn't give you the password.

As soon as your buddy has typed his password on your computer, you can retrieve the password if you want. You can modify the program that your buddy types the password in to write it in a file, or you can inspect the program's memory afterwards. If your buddy types his password on your computer, he has to trust you not to use it in any way that you promised not to use. It's like if your buddy lends you his car and asks you to park it: he can't prevent you from taking it for a ride, he only has your word that you won't drive it further than the car park.

If you want to share accounts, you'll have to share the password. If you don't want to share accounts, you'll need to get your own account with its own password.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Okay, thanks. Maybe the answer to the oher question should be updated with the info that it doeesn’t matter that PAP was being used. (As PAP is generally considered to be insecure, I hoped that in PEAP it would be okay to only send the hash of the password. But I guess that would open up other vulnerabilities due to collisions or more fundamentally the fact that the hash may be stored insecurely on the server or the server isn’t trusted.) – k.stm Aug 06 '13 at 21:56
  • @K.Stm. If the server accepted a proof that the client knew the hash, rather than a proof that the client knows the password, then the hash would become the effective password. – Gilles 'SO- stop being evil' Aug 06 '13 at 22:05
  • I unaccepted the answer for a while because I just thought that in principle, it should be possible to get internet access once by having a buddy type in his account data once (as if he only once used another machine). Therefore, I added a new question to be answered. – k.stm Aug 06 '13 at 22:24
  • @K.Stm. Ok, I've added a paragraph to my answer, but it's still the same thing. If your buddy types his password on your computer, he's giving you his password. – Gilles 'SO- stop being evil' Aug 06 '13 at 22:29
  • Okay, I re-accepted the answer again. I see how theoretically it doesn’t make sense to have a feature like the one I was hoping for. But practically, if you *somehow* trust a person, you might trust him or her to not retrieve your password, but you still might be uncomfortable literally telling him or her your password as a password is still something very personal. It might also be used for other services as well – I know it’s bad practise, but that’s just how it is: same passswords *are* used for different services. – k.stm Aug 07 '13 at 05:33
  • I this is wrong. For EAP at least you can do it. It may depend on the protocol though. See here: https://bbs.archlinux.org/viewtopic.php?pid=1493260#p1493260 – Micah Jan 15 '15 at 18:14
  • 1
    Yup, seems wrong. It's common to have an enterprise account with credentials granting access to the Wifi and a bunch of other services. Using a hashed password (which would indeed effectively become a Wifi-only password) would be significant progress in terms of security. Additionally, the docs say it [is possible](https://w1.fi/cgit/hostap/tree/hostapd/ChangeLog#n790). I [asked a separate question](https://unix.stackexchange.com/questions/278946/hiding-passwords-in-wpa-supplicant-conf-with-wpa-eap-and-mschap-v2). – Clément Apr 25 '16 at 14:44
0

Rule number zero of passwords is this: If you need someone to forget your password, change you password.

Your buddy can type in his password to let you use his wifi for a short while, and then when he's done allowing you to use his wifi, he changes his wifi password. Now you no longer have his password, you have his old password, which is now useless.

Alternately, he can change his password before typing it in, in which case you never actually see his old password, you just get his current password which he can then change later.

This same principle applies no matter what technology is in play.

tylerl
  • 2,438
  • 15
  • 18