encrypted WiFi PSK/multiple SSID configuration

[ghoeher]

Hi,

I've two feature requests as I did not find any solution for this in moOde till now - maybe, I simply blind ;-).

First one - I just found that the WiFi Pre Shared Key is saved unencrypted in the WPA_Supplicant.conf - I would highly appreciate, if it can be saved encrypted.

Second one - it would be nice, if you can configure several SSID configurations in moOde, so that in case one WiFi is not available it will switch to another one if there is an additional one configured. If none of the WiFis is found, fall back to the "access point" mode.
Currently, I have to reconfigure WiFi every time if I switch between different SSIDs.

Kind regards
Georg

[Tim Curtis]

Hi,

The first item I can address in upcoming moOde 6 release. There is a util named wpa_passphrase that can be used to convert the plaintext password into an encrypted passphrase.

The second item has been on my TODO list for a long time and it never seems to get priority. It partly because it involves quite a number of changes to be made to the Network Config process which currently is designed to only store a single SSID.

-Tim

[Tim Curtis]

Just a brief update :-)

The wpa_passphrase utility generates a WPA Pre-shared Key (PSK) from the SSID + plaintext password. This is then used to authenticate to the WiFi SSID or to AP mode. The PSK is still visible in wpa_supplicant.conf and hostapd.conf but its difficult to crack.

moOde also maintains the plaintext WiFi and AP mode passwords in its SQL database to eliminate the need to reenter them when saving the Network Config screen. These passwords have been obscured in moOde 6 code base but not by using a crypto method. This is because the type of crypto that would be used for this is "symmetric encryption" which would require the crypto keys to be embedded in the source code and thus visible.

This vulnerability can be eliminated by not storing the obscured passwords in the SQL database but it would result in having to reenter the WiFi and Host AP mode passwords each time the Network Config screen was saved.

It's security vs convenience.

Feedback appreciated.

-Tim

[ghoeher]

Just a quick thought. Maybe it's stupid b*llsh*t  or to complicated to implement

Why don't you just save a hash value of the password in the database and compare against it.
Then, when loading the Network config page, just load the hash value to the psk field.
If it did not change when saving, don't change the psk in the wpa_supplicant.conf. If it changed, the new value is the new psk which should be written to the wpa_supplicant.conf and a new hash has to be created and saved to the database.

Then you don't have to save obscured passwords in the database any longer.

For the hostapd.conf, I don't care about the plaintext password. If this is hacked, you can connect to the moode-system but nothing else.

Maybe I'm a little bit paranoid , but the psk in the wpa_supplicant is the one of my WiFi where also other systems are located, so if this is hacked, access to my complete network is possible.

[TheOldPresbyope]

Seems like a good thought to me but only Tim can address the practicality issue.

The wpa_supplicant.conf file in a moOde installation has permissions 0600 which means it can be read and written only by root. This is normal practice for multi-user Linux systems since on them only administrators can run as root. 

The problem I see with moOde is several-fold. First, like all Raspbian systems, its sdcard can be removed and all its files read on another host by anyone with root privilege; second, in moOde, user "pi" is given all privileges through sudo so anyone who logs into moOde can read all files including wpa_supplicant.conf, not to mention do other nasty things. As well, even without root privilege anyone can read the sqlite3 database in moOde or with the sdcard mounted to another host. Encrypting the password makes sense.

If you haven't changed the default password for user "pi" then you are at huge risk if there's an open path to your player from the Internet. But then how many people change the default password on any Raspbian system? The evidence suggests many don't.

If I were a enterprise-network administrator, I'd be freaking out at the thought of all these SBC-based appliances (I am by no means singling out moOde here; I'd suspect everyone) being brought into work environments.

Regards,
Kent

[Tim Curtis]

Just a quick thought. Maybe it's stupid b*llsh*t  or to complicated to implement

Why don't you just save a hash value of the password in the database and compare against it.
Then, when loading the Network config page, just load the hash value to the psk field.
If it did not change when saving, don't change the psk in the wpa_supplicant.conf. If it changed, the new value is the new psk which should be written to the wpa_supplicant.conf and a new hash has to be created and saved to the database.

Then you don't have to save obscured passwords in the database any longer.

For the hostapd.conf, I don't care about the plaintext password. If this is hacked, you can connect to the moode-system but nothing else.

Maybe I'm a little bit paranoid , but the psk in the wpa_supplicant is the one of my WiFi where also other systems are located, so if this is hacked, access to my complete network is possible.

The hash scheme would prolly work. I'll look into that approach.

The main issue with having plaintext passwords lying around is that people will often use the same password for authenticating to multiple services.

[angus1071]

i solved the multiple SSID by creating several wpa_supplicant.conf, which copies/overwrites the one in /etc/wpa_supplicant/ folder by buttons on my lirc-remote control.