wifi.tcz security concerns...

[nitram]

New TC-6 user here. Just installed wifi.tcz, runs well.

- After connecting wifi saves the ESSID and password in a plain text wifi.db file in the home folder. This happens to be my secured home router and i would prefer that this information NOT be stored in plain text on my system. Anyone know how to disable the wifi.db text creation, as i would prefer to re-enter my password manually at boot.

- This query is likely not possible with wifi, but i prefer my wireless router NOT broadcast an ESSID (hidden network). Is there anyway for wifi to pick up a hidden network?

Thanks in advance for any feedback.

[Juanito]

At the moment the wifi extension will not connect to networks that do not broadcast the ssid - if you'd like to propose a change to the script, please feel free 

[coreplayer2]

Is this really a security concern?  Or a matter of comfort?
Anyone who had access to the file system is already inside your local network.  iptables should be enough protection from casual exploits. Anyone smart enough to access you password is most likely not living within reach of your WiFi range. So it appears a moot point?

If it's that important then perhaps a more secure connection manager would be appropriate?  Would be cool to encrypt the password file, though seems to much like overkill for the threat posed..?


Sent from my iPad using Tapatalk HD

[nitram]

Juanito - A script change would be great but i've already bugged bmarkus enough this week and i don't have the necessary skills to figure this stuff out yet.

coreplayer2 - Thanks for the response. Both a matter of comfort but also a bonafide security concern. Of course someone who hacks your wifi already has access to your local network anyway - understood. But having plain text network connection information in a home folder seems like asking for trouble if a laptop is ever lost/stolen and recovered by someone nefarious. Upon realizing the theft i would change the network ID/password asap so maybe you're right, maybe i am making more out of it than necessary.

Guess i'm just used to a more secure system (no network broadcast, encrypted connection information, no sudo, very restrictive root user usage, etc). I can see how TC can be more secure in many use cases (run from RAM, fresh system at every boot, etc) but in some ways maybe less secure. I'm still trying to figure out the system and need to read up on TC security.

Since my wifi.db file is stored in the home folder and is backed up upon exit into mydata.tgz, is there a way to automatically password protect this tgz file to prevent someone from unzipping?

Or...if i'm that paranoid, maybe just manually delete the wifi.db file before exit/backup if i plan to take the laptop out of the house.

[curaga]

Yes, the "protect" bootcode will enable 448-bit Blowfish encryption for your backup file.

[core-user]

Maybe just write a script to delete it after connecting to your wifi(?)
(Run from ram probably easier.)
List it not to be backed up in /opt/.xfiletool.lst(?)

[Lee]

Or...if i'm that paranoid, maybe just manually delete the wifi.db file before exit/backup if i plan to take the laptop out of the house.

To exclude the file from you backup, add it to /opt/.xfiletool.lst

Of course you would then get the worst of both worlds - the passwords would exist as plain text in your home directory (while running) -AND- you'd have to reenter it on every reboot to access your wifi.   But, assuming you're not using persistent home, at least it wouldn't exist on your persistent media.

[nitram]

Thanks everyone for the reponses. I will for sure look at the protect boot code, which addresses my security concern regarding the plain text wifi.db file.  xfiletool.lst is also valuable.

Tried a wifi work-around that failed. I set my router to broadcast, booted TC and connected via wifi.sh. My router's ID and connection password stored in wifi.db as expected. I then reset my router to hidden (no broadcast), rebooted TC with persistence so it could read the wifi.db file and then ran sudo wifi.sh -a, which is supposed to instruct wifi to automatically connect to the first network in wifi.db. Unfortunately it failed:

Code: [Select]

tc@box:~$ sudo wifi.sh -a
Found wifi device eth1
Standby for scan of available networks...
Set to try a few times to obtain a lease.
Attempting auto connection with nitramRouter
Error for wireless request "Set ESSID" (8B1A) :
    too few arguments.
...................
udhcpc (v1.22.1) started
Sending discover...
Sending discover...
Sending discover...
No lease, failing

If you've got your ears on bmarkus, is there any possibility of enhancing wifi.tcz to connect to a known hidden network? This is a deal breaker for me as i really don't want to run in broadcast mode. This netbook dual boots with Debian and has no difficulty connecting to hidden networks but uses heavy overhead network-manager. I work from a home office and make all reasonable attempts to protect my data.

Unfortunately wicd.tcz in TC-6 is broken. Any other ideas to help me wireless connect to a known hidden router? Maybe some network interfaces tweak or something? I basically just use the same/single connection and the netbook rarely leaves the house - just need to successfully connect to my hidden network.

[Juanito]

you just need a simple script:

Code: [Select]

#!/bin/sh -e
#
sudo cp /mnt/sdb1/conf/wpa_hiddenssid_configure.conf /etc/wpa_configure.conf
#
tce-load -i firmware_iwlwifi-7260
tce-load -i wpa_supplicant
#
sleep 2
#
sudo wpa_supplicant -B -Dwext -i wlan0 -c/etc/wpa_configure.conf
#
sudo udhcpc -b -i wlan0 -x hostname:boxdell -p /var/run/udhcpc.wlan0.pid
#
# EOF
where:

Code: [Select]

$ cat /etc/wpa_configure.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=2
fast_reauth=1

network={
        ssid="xxxxxx"
        psk="yyyyyy"
        scan_ssid=1
key_mgmt=WPA-PSK
proto=WPA2
pairwise=CCMP
group=CCMP
priority=5
}
 

[Greg Erskine]

hi nitram,

I too don't like to have my wireless network passphrase in plain text in any file.

You can just use wpa_supplicant.

http://w1.fi/cgit/hostap/plain/wpa_supplicant/README

It will allow you to use an encrypted passphrase and use a hidden ssid.

# sudo wpa_passphrase ESSID PASSWORD

generates passphrase
EDIT: Took me a while to write...what he said.

regards
Greg

[nitram]

Thanks for the responses. I've been reading up on wpa_supplicant, read through the Juanito's sample script and tried to better understand the wifi.sh script. My script and programming abilities are almost nil, so a challenge. Spent some time working on it last night and hope to try again this weekend. Simple for you guys, not for me (says with a jealous grin).

So far i've just been able to make a network contact attempt, but no successful ping. To learn in baby steps, i plan to temporarily disable my router's wireless security and no-broadcast settings, establish a connection manually though wpa_supplicant and build on small successes.

Don't have my netbook available at the moment, but when wifi.sh connects wirelessly it's through eth1 (NOT wlan0)....and no DSL cable is plugged in/just wireless. Is this common for a TC wireless device? Just wondering, wifi connects and works great but that leads me to believe my wpa_supplicant commands/script should be based on eth1 ?

[Juanito]

Some hardware (for example, broadcom) uses eth1 rather than the more usual wlan0.

[nitram]

Juanito - you are a true forum Hero Member - broadcom - you guessed it.

Success! Couple wpa_supplicant related commands via eth1, a simplified config file and i was able to connect to a WPA2 secured but visible/not hidden network. Now just need to test for a hidden network and read up on disconnect commands.

TC is amazing - never forced to work at this level with a computer before. If i have further issues will post back. Thanks all for your help.

[Juanito]

Good 

The example wpa_supplicant config file above is for a wap that does not broadcast the ssid.

[nitram]

Got hidden wireless working via wpa_supplicant just the way i like. Tested for a few days to ensure all is good. Just posting my notes, which may help others since wicd.tcz is broken and wifi.tcz does not presently connect to hidden networks.

Here's a primer, which i discovered after the fact. Didn't read through in detail but it looks relevant:
http://askubuntu.com/questions/16584/how-to-connect-and-disconnect-to-a-network-manually-in-terminal

Here's what worked for my hidden WPA2 wireless on an HP Mini 110 netbook running TC-6:
- blacklist at boot via grub2 kernel line: blacklist=b43 blacklist=ssb
- OnBoot install wifi.tcz, which brings in wpa_supplicant
- OnBoot install wl-modules-3.16.6-tinycore.tcz, which also brings in wireless tools
- temporarily disable hidden feature from wireless router and reboot (SSID will no longer be hidden to world)
- via terminal run wpa_passphrase SSID PASSWORD (your router's SSID and connect password), which outputs a configuration
- copy/paste this configuration into a text file and name the file something like wpa_supplicant_hidden.conf
- needed to add a few lines to the config (see below)
- added wpa_supplicant command in /opt/bootlocal.sh to automagically connect to my router at boot
- reboot and test network
- if all good then re-enable hidden network in router, reboot and test again
- in terminal run iwconfig to confirm connection to correct SSID
- in terminal run ping -c5 google.com to test connection
- in my experience a cold boot (full poweroff) is best when re-testing router and networking
- if i want to use public wifi, then just comment out ( # ) the wpa_supplicant command in /opt/bootlocal.sh, reboot and use wifi.sh to connect

Here's my wpa_supplicant_hidden.conf file, which i placed in my home folder for convenience:

Code: [Select]

# reading passphrase from stdin

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=2
fast_reauth=1

network={
ssid="nitramROUTER"
psk="F8R51Z8018915"
#psk=e2932f206453fe8f44275b8ca6d91b48be0c59fa982627c008080e79f61e851c
        scan_ssid=1
key_mgmt=WPA-PSK
#proto=WPA2
#pairwise=CCMP
#group=CCMP
#priority=5
}

Here's my /opt/bootlocal.sh file for autostart at boot, which is also set to autostart iptables firewall. Make sure the pathway to the configuration file is accurate.

Code: [Select]

#!/bin/sh
# put other system startup commands here
/usr/local/sbin/basic-firewall noprompt &
wpa_supplicant -Dwext -i eth1 -c/home/tc/wpa_supplicant_hidden.conf

Thanks to all that helped out and pointed me in the right direction. Hopefully i didn't miss any steps.

marty