Wpa supplicant: Difference between revisions

(5 intermediate revisions by 4 users not shown)

Line 1:

[https://w1.fi/wpa_supplicant/ wpa_supplicant] is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA, WPA2 (IEEE 802.11i / RSN), and WPA3. It sets up connections to wireless networks.

== General ==

Line 44:

Line 46:

</syntaxHighlight>

To avoid having your network password in accessible plaintext on your system or in your version control consider using [https://search.nixos.org/options?show=networking.wireless.~~environmentFile~~&from=0&size=50&sort=relevance&type=packages&query=networking.wireless networking.wireless.~~environmentFile~~].

To avoid having your network password in accessible plaintext on your system or in your version control consider using [https://search.nixos.org/options?channel=25.05&show=networking.wireless.secretsFile&from=0&size=50&sort=relevance&type=packages&query=networking.wireless networking.wireless.secretsFile].

Another example of simple wpa2 auth:

Line 110:

Line 112:

Where you need to change the <code>wlan0</code> with your own wifi network interface. You can list your interfaces by running <code>ip link</code>, your wifi network interface should have "wl" prepended. Note that the above snippet fully randomizes your MAC address, for more information you can read macchanger's manpage. This obviously requires you to have the <code>macchanger</code> package installed.

== ~~Eduroam~~ ==

== [[eduroam]] ==

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to eduroam or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.

networking.wireless.networks.eduroam = {

auth = ''

Line 124:

Line 123:

};

</syntaxHighlight>

=== Restrictions on Certificate Location ===

For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.

== WEP support ==

Line 159:

Line 161:

== External links ==

* [https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos (german) article ''eduroam meets NixOS'' (with configuration)] (instance ''University of Applied Sciences Dresden'': The [https://cat.eduroam.org/?idp=5106&profile=5098 eduroam installer for GNU/Linux] works [https://www.htw-dresden.de/en/university/organisation/zid/service-overview-and-instructions/wi-fi-/-wlan/eduroam/linux for example for Ubuntu] but not [[NixOS]])

* [https://github.com/NixOS/nixpkgs/issues/177501 NixOs: Can't connect to a WEP network: failure to add network: invalid message format]

[[Category:Software]]

[[Category:Networking]]

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:wpa_supplicant}}
+[https://w1.fi/wpa_supplicant/ wpa_supplicant] is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA, WPA2 (IEEE 802.11i / RSN), and WPA3. It sets up connections to wireless networks.
 == General ==
@@ Line 44: / Line 46: @@
 </syntaxHighlight>
-To avoid having your network password in accessible plaintext on your system or in your version control consider using [https://search.nixos.org/options?show=networking.wireless.environmentFile&from=0&size=50&sort=relevance&type=packages&query=networking.wireless networking.wireless.environmentFile].
+To avoid having your network password in accessible plaintext on your system or in your version control consider using [https://search.nixos.org/options?channel=25.05&show=networking.wireless.secretsFile&from=0&size=50&sort=relevance&type=packages&query=networking.wireless networking.wireless.secretsFile].
 Another example of simple wpa2 auth:
@@ Line 110: / Line 112: @@
 Where you need to change the <code>wlan0</code> with your own wifi network interface. You can list your interfaces by running <code>ip link</code>, your wifi network interface should have "wl" prepended. Note that the above snippet fully randomizes your MAC address, for more information you can read macchanger's manpage. This obviously requires you to have the <code>macchanger</code> package installed.
-== Eduroam ==
+== [[eduroam]] ==
+Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>
-Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to eduroam or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.
-<syntaxHighlight lang=nixos>
   networking.wireless.networks.eduroam = {
     auth = ''
@@ Line 124: / Line 123: @@
   };
 </syntaxHighlight>
+=== Restrictions on Certificate Location ===
+For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.
 == WEP support ==
@@ Line 159: / Line 161: @@
 == External links ==
-* [https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos (german) article ''eduroam meets NixOS'' (with configuration)] (instance ''University of Applied Sciences Dresden'': The [https://cat.eduroam.org/?idp=5106&profile=5098 eduroam installer for GNU/Linux] works [https://www.htw-dresden.de/en/university/organisation/zid/service-overview-and-instructions/wi-fi-/-wlan/eduroam/linux for example for Ubuntu] but not [[NixOS]])
 * [https://github.com/NixOS/nixpkgs/issues/177501 NixOs: Can't connect to a WEP network: failure to add network: invalid message format]
 [[Category:Software]]
 [[Category:Networking]]