Wpa supplicant: Difference between revisions

(3 intermediate revisions by 2 users not shown)

Line 12:

To be able to use <code>wpa_gui</code> or <code>wpa_cli</code> as user put the following in your <code>configuration.nix</code> file:

<~~syntaxHighlight~~ lang=nix>

networking.wireless.userControlled~~.enable~~ = true;

networking.wireless.userControlled = true;

</~~syntaxHighlight~~>

</syntaxhighlight>

Also your user must be part of the <code>~~wheel~~</code> group (replace USER with your username):

Also your user must be part of the <code>wpa_supplicant</code> group (replace USER with your username):

Line 55:

enable = true; # Enables wireless support via wpa_supplicant.

networks."MYSSID".psk = "myPresharedKey";

~~extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel";~~

~~# output ends up in /run/wpa_supplicant/wpa_supplicant.conf~~

};

</syntaxhighlight>

Line 113:

Line 111:

== [[eduroam]] ==

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.

networking.wireless.networks.eduroam = {

auth = ''

Line 126:

Line 121:

};

</syntaxHighlight>

=== Restrictions on Certificate Location ===

For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.

Some eduroam configuration scripts may hardcode paths in its relevant <code>/etc/NetworkManager/system-connections/<connection>.nmconnection</code>. In this case, editing the <code>ca-cert</code>, <code>client-cert</code>, and <code>private-key</code> to point at their new location should suffice.

== WEP support ==

@@ Line 12: / Line 12: @@
 To be able to use <code>wpa_gui</code> or <code>wpa_cli</code> as user put the following in your <code>configuration.nix</code> file:
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
-networking.wireless.userControlled.enable = true;
+networking.wireless.userControlled = true;
-</syntaxHighlight>
+</syntaxhighlight>
-Also your user must be part of the <code>wheel</code> group (replace USER with your username):
+Also your user must be part of the <code>wpa_supplicant</code> group (replace USER with your username):
 <syntaxHighlight lang=nix>
@@ Line 55: / Line 55: @@
      enable = true;  # Enables wireless support via wpa_supplicant.
      networks."MYSSID".psk = "myPresharedKey";
-    extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel";
-    # output ends up in /run/wpa_supplicant/wpa_supplicant.conf
    };
 </syntaxhighlight>
@@ Line 113: / Line 111: @@
 == [[eduroam]] ==
+Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>
-Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.
-<syntaxHighlight lang=nixos>
   networking.wireless.networks.eduroam = {
     auth = ''
@@ Line 126: / Line 121: @@
   };
 </syntaxHighlight>
+=== Restrictions on Certificate Location ===
+For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.
+Some eduroam configuration scripts may hardcode paths in its relevant <code>/etc/NetworkManager/system-connections/<connection>.nmconnection</code>. In this case, editing the <code>ca-cert</code>, <code>client-cert</code>, and <code>private-key</code> to point at their new location should suffice.
 == WEP support ==