Hi all. Currently and as default, wireless pass phrase is stored in plain text format in /etc/config/wireless. Is there any way to encrypt this pass phrase? Something the same as in Linux it can be stored in gnome keyring. I haven't found much topics about it, so I assume that it is not possible, but would be nice to know for sure. Also what are security issues storing in plain text.
At least as I understand WPA2, you can't "hash" it in the same way as you would a system password. You can use a more obscure format that is accepted by wpa_supplicant and hostapd (the PSK itself, I believe), but it isn't "secure".
Best practices are to make sure that the files are not readable by any other than "root".
The wpa_passphrase command can be used to convert the passphrase into the key, but I don't believe it is part of the standard OpenWRT distro.
$ wpa_passphrase "this is the ssid" "this is a passphrase"
network={
ssid="this is the ssid"
#psk="this is a passphrase"
psk=03255b906a052708214a3a4fc94277027f7a4892d8ad258db316e54c49619347
}
To keep from saving it on disk somewhere, you'd have to rewrite how wpa_supplicant and hostapd get the PSK as well as some type of "secure" store for that data, that you'd have to unlock every time. If the OpenWRT process can gain access to the store, then it really isn't any more secure than storing the text in a properly protected "plain text" file.
2 Likes
No, not in standard OpenWrt software. Also, I agree with @jeff's theory, what you're storing is not the key anyway, it's a ASCII representation of it.
This is Linux, just no keyring.
- None, as long as the malicious person cannot brute force the SSH or HTTP logins
- You will have to enable password for the Serial port (ttylogin), especially if you can access it from outside of the case
Lastly:
- Please be advised that anyone with access to the device offline and with unlimited time/resources could access the /etc/config/wireless file via failsafe mode and see the plaintext
- Most routers I've encountered store the key in plaintext like this
1 Like
Keeping in mind that I consider any wireless client as potentially hostile, if you want somewhat stronger wireless security, "WPA2 enterprise" security with 802.1X authentication and a RADIUS server are typical that enterprises approaches to take. In my opinion, it isn't inherently more secure, but primarily provides the ability to have a pass phrase per authorized user, allowing fine-grained control that isn't possible with WPA2's "one for all" pass-phrase approach.
Thanks for very informative answers. Now, I'm thinking a bit more about security of the router and let's say I'm the only one supposed to login to the router. Do you recommend to create additional non-root user for this purpose, or it will not increase security? I know that OpenWRT supports more users than root, but I've read, that router firmware is designed as single user machine. Any benefits of having non-root account?
I use sudo and a non-root account, but I'm not sure it makes it much more secure. The biggest benefits to me is making sure that I don't do something stupid without typing sudo first.
Contrary to an outspoken member's statements to the contrary, OpenWRT is a multi-user system. However, the build system makes it challenging to have it set up as multi-user from flash. Some things, such as LuCI, seem to require "root" privilege. I'm more worried about a compromise of an exposed service than I am the password to "my" account itself. That's why I advocate not running anything but the basics on an OpenWRT instance that the user relies on as their primary firewall.
1 Like
@jeff you have very good point regarding typing sudo every time, but otherwise I was thinking about benefits and I couldn't find much. As long as user root is enabled, attacker can bruteforce it. Anyway I'll consider another non root user. Thanks!
This does however allow for better security policy. In particular it's easy to compromise security by giving out your wifi password to friends etc and then their device is hacked and now you have a hostile device on your network, and if you want to change the password, you need to re-enter it into potentially 10 to 20 devices.
I've just this weekend finished setting up WPA2 Enterprise, using FreeRADIUS on my router (not running OpenWRT) and I created basically 3 accounts: "family" "extendedfamily" and "guest" each with a high complexity password (generated by Keepass2).
Now my plan is to use "family" for my own devices, kids, wife, people who live in the house every day and whose devices I have some control over etc. "extendedfamily" for things like grandparents, cousins, or very close friends who might come relatively frequently, but I don't have much control over their devices. particularly if they need something the guest network doesn't offer like access to the printer, or higher speeds to download large files.
The "guest" account I can give out to people like my kids babysitter who wants to play minecraft with my kids... (gotta be on the same LAN), because I can change that "guest" account immediately after they leave, or every few weeks, or whatever and not affect my own devices or my extended family. If once or twice a year I change the extended family password ... it still doesn't affect my personal devices.
For a home setup, I think this is enough compared to one password per user, but PSK has become really not acceptable.
This works quite nice. I generate theses hashes in an a web gui with:
DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)
and take the first 64chars. So no password goes over the wire or is stored in cleartext online.