Passphrase shown in system log (hostapd, wifi)

I just need to know if this is correct behaviour for the log file :

within this entry of the system log
daemon.notice hostapd: Configuration file: data: driver=... etc

Further along the entry is the passphrase written in-the-clear
apsd_advertisement_enabled=1 utf8_ssid=1 multi_ap=0
wpa_passphrase=(my passphrase redacted)
wpa_psk_file=/var/run/hostapd-phy1-ap0

why is the logfile even getting this passphrase information?
Is there anything I can do to stop hostapd from logging that info?

I am using OpenWrt 23.05.0 r23497-6637af95aa

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

You are wrong !
I downloaded the firmware HERE !
I flashed the router with that firmware.
Prior to this version I was using v22 something or other

lleachii, thank you very much for replying so promptly. After running the commands you requested I found something that is a little strange.
I just want to investigate that a while.
strange ip addresses in the firewall config

Post the basics so we know where to start? ubus call system board
If it is OpenWRT you can always sysupgrade wiping old configuration and have a clean staert.

root@Dillon:~# ubus call system board

{
	"kernel": "5.15.134",
	"hostname": "Dillon",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer C6 v3",
	"board_name": "tplink,archer-c6-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

root@Dillon:~# cat /etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd92:REDACTED:/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '172.16.4.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '9.9.9.9'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.15.254'
	option netmask '255.255.255.0'
	option gateway '192.168.15.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'

root@Dillon:~# cat /etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'DISABLED'
	option encryption 'none'
	option hidden '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'GB'
	option distance '10'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SARTRE'
	option encryption 'psk2'
	option key 'PASSPHRASE REDACTED'
	option isolate '1'

Thanks for looking at this for me.
I will post firewall and DHCP info later I just have to do something for 30 minutes or so

Remove this line, it is to tune long range links more than 200m away.

Can you upgrade to 23.05.4 - i have not seen wpa passphrase in logs for quite some time.

OK thank you
That will probably fix it

If upgrade hides passphrase just say so and clap this out. Strange that was not in release logs.
Other fil#s more to see that you get internet or to make proper config guidance for bigger change.

I will have to do this in about 6 hours as theres a couple of people working using that network - thank you so much for looking into the problem

No rush here, test when you feel less impact on your home.

1 Like

Unfortunately the upgrade did not stop the behaviour, however, I am wondering whether it is even a problem. When I think about it who is going to see it, and I dont think anyone is waiting outside trying to hack my networks. It may simply be hostapd informing the log of its settings. It would worry me if it were a router in a business setting with tech-savy employees, but its just a home network

Just incase it is a problem I should worry about these are the steps I took to upgrade.
Used a pin on the reset button at the back of the router
accessed the router and used the reset button inside Luci
got the correct upgrade
flashed the router with it.
Saw that the behaviour occurred again - reset router - reconfigured
wondered if it really was a problem

If anyone would like to see the config files, please let me know. Maybe it is a problem I can help solve

1 Like

after all
@Widget is right

Configuration file: data: driver=nl80211 logger_syslog=127 logger_syslog_level=2 logger_stdout=127 logger_stdout_level=2 country_code=PA ieee80211d=1 ieee80211h=1 hw_mode=a beacon_int=100 chanlist=36 noscan=1 tx_queue_data2_burst=2.0 #num_global_macaddr=1 ieee80211n=1 ht_coex=0 ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1] ieee80211ac=1 vht_oper_chwidth=0 vht_oper_centr_freq_seg0_idx=38 vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][MAX-A-MPDU-LEN-EXP7] channel=36  interface=wlan5 bssid=0e:02:13:01:01:01 ctrl_interface=/var/run/hostapd ap_isolate=1 ap_max_inactivity=120 bss_load_update_period=60 chan_util_avg_period=600 disassoc_low_ack=0 skip_inactivity_poll=0 preamble=1 wmm_enabled=1 ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 utf8_ssid=1 multi_ap=0 wpa_passphrase=UnusedPass wpa_psk_file=/var/run/hostapd-wlan5.psk auth_algs=1 wpa=2 wpa_pairwise=CCMP ssid=TES-AP bridge=switch wds_bridge= snoop_ifa

"UnusedPass" as password is clearly visible

cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05-SNAPSHOT'
DISTRIB_REVISION='r0+24028-cce5b49de4'
DISTRIB_TARGET='ramips/mt7621'
DISTRIB_ARCH='mipsel_24kc'
DISTRIB_DESCRIPTION='OpenWrt 23.05-SNAPSHOT r0+24028-cce5b49de4'

I solved it myself, actually.
The passphrase appears in the clear in at least one other place
The wireless config file.
For me, it isnt a problem. If anyone has access to the router through SSH they will find the passphrase, and they can get access through SSH, if they have access to Luci. The issue then, is no longer that it shows in the logs but that one must be careful who can access the router.
Thanks for indulging me on this one. You guys are stars ! Thank you

issue is bigger than that ...
remote LOG for example

1 Like

I think that hostapd still creates a log item with the full hostapd config items of the radio listed, including the passphrase.

BUT, with newer 802.11ax routers (new ath11k, mt76 etc.) the capabilities list like he_mu_edca_ac_be_aifsn=8 is so long that the passphrase doesn't fit into the first 1024 character logged...

Instead, the log row's max size is reached and the passphrase gets left out:
(intentionally formatted to be narrow here)

Thu Sep  5 21:17:01 2024 daemon.notice hostapd: Con
figuration file: data: driver=nl80211 logger_syslog
=127 logger_syslog_level=2 logger_stdout=127 logger
_stdout_level=2 country_code=FI ieee80211d=1 hw_mod
e=g supported_rates=60 90 120 180 240 360 480 540 b
asic_rates=60 120 240 beacon_int=100 chanlist=6 #nu
m_global_macaddr=1 ieee80211n=1 ht_coex=0 ht_capab=
[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX
-STBC1][MAX-AMSDU-7935] ieee80211ax=1 he_su_beamfor
mer=1 he_su_beamformee=1 he_mu_beamformer=1 he_bss_
color=128 he_spr_sr_control=3 he_default_pe_duratio
n=4 he_rts_threshold=1023 he_mu_edca_qos_info_param
_count=0 he_mu_edca_qos_info_q_ack=0 he_mu_edca_qos
_info_queue_request=0 he_mu_edca_qos_info_txop_requ
est=0 he_mu_edca_ac_be_aifsn=8 he_mu_edca_ac_be_aci
=0 he_mu_edca_ac_be_ecwmin=9 he_mu_edca_ac_be_ecwma
x=10 he_mu_edca_ac_be_timer=255 he_mu_edca_ac_bk_ai
fsn=15 he_mu_edca_ac_bk_aci=1 he_mu_edca_ac_bk_ecwm
in=9 he_mu_edca_ac_bk_ecwmax=10 he_mu_edca_ac_bk_ti
mer=255 he_mu_edca_ac_vi_ecwmin=5 he_mu_edca_ac_vi_
ecwmax=7 he_mu_edca_ac

Howver, with older routers like ath10k R7800 the passphrase might be visible.
This is from my R7800 main/master from Nov 2023:

Sat Nov 11 21:38:15 2023 daemon.notice hostapd: Configuration file:
data: driver=nl80211 logger_syslog=127 logger_syslog_level=2
logger_stdout=127 logger_stdout_level=2 country_code=FI
ieee80211d=1 hw_mode=g supported_rates=60 90 120 180 240 360 480 540
basic_rates=60 120 240 beacon_int=100 chanlist=3 
num_global_macaddr=1 ieee80211n=1 ht_coex=0 
ht_capab=[LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40] channel=3  interface=hn2wlan
bssid=dc:ef:09:ef:f3:e7 ctrl_interface=/var/run/hostapd ap_isolate=1
bss_load_update_period=60 chan_util_avg_period=600
disassoc_low_ack=0 skip_inactivity_poll=1 preamble=1 wmm_enabled=1
ignore_broadcast_ssid=0 uapsd_advertisement_enabled=1 utf8_ssid=1
multi_ap=0 wpa_group_rekey=13600 wpa_passphrase=XXXXXX
wpa_psk_file=/var/run/hostapd-hn2wlan.psk auth_algs=1 ...

(I don't have my R7800 on right now, so I can't test if it still is in the current main/master but likely so.)

Curiously, I do not see that in an old R7800 bootlog from 2021. There is a just the configuration file name logged, but no content.

Sat Oct 30 11:24:34 2021 daemon.notice hostapd: Configuration file: /var/run/hostapd-phy1.conf (phy wlan1) --> new PHY

This logging is probably a newish feature in hostapd that has surfaced in 2021-2023. Or it might have been introduced by OpenWrt. I haven't checked, yet.

EDIT:
The level of details may also be related to the optional /etc/config/wireless debug parameters like option log_level '1'

1 Like

Very true
and now you mention it I will be interested to know any solutions or workarounds

Is there any way to elevate this to some kind of bug fix request?

If I set that to log level 3 would that solve it? I will try that actually and will go through all the config files to see what debug level the logs are set at
I think that may be the answer, its because logging may be set to debug.
Strangely, I noticed that myself when i set the log output level to "warning" and above. When I rebooted the router it returned to log level "Debug"
I will do some tests later

You can try

sed -i 's/set_default log_level 2/set_default log_level 3/g' /lib/netifd/hostapd.sh
1 Like