Hack 42. Secure Your Linux Network with WPA
Take advantage of a strong wireless authorization and encryption protocol in Linux.
Linux might best be described as a modular operating system. Since all of the underlying architecture, down to the last code byte, is freely available for anyone to read and modify, there are lots of little programs that provide useful functions, but which are not necessarily part of a Linux distribution.
Wi-Fi Protected Access (WPA) support is one good example. While wireless cards that support WPA have been available since 2003, not one of the major Linux distributions installs all the necessary pieces to support WPAenabled wireless cards. Some distributions do at least include packages that can be installed, while others require you to compile your own. Lastly, WPA on Linux requires you to have some knowledge of how your wireless card and networking stack function in order for things to work properly.
What is WPA? The original version of WPA was devised by the Wi-Fi Alliance and was based on a draft version of the IEEE 802.11i protocol. WPA defined a subset of the draft 802.11i and was designed to be implemented on existing Wi-Fi hardware. WPA is an intermediate solution to improve the hopeless security quagmire of Wired Equivalent Privacy (WEP) while waiting for the full 802.11i standard to be ratified. WPA uses the Temporal Key Integrity Protocol (TKIP) to generate per-packet encryption keys, supports both external and pre-shared key authentication, and implements new key handshakes.
The IEEE working group approved the full 802.11i specifications in June 2004. The Wi-Fi Alliance has based their new WPA2 standard on the completed 802.11i. WPA2 supports more robust encryption algorithms to replace TKIP. At the time of this writing, access points, wireless cards, and drivers that support WPA2 are just becoming available.
If you have a wireless card and access point that supports WPA, you should run, not walk to your Linux notebook and follow this hack through. The bad old days of WEP cracking are far behind us.
3.4.1. Requirements
You'll need a Linux kernel in the 2.4.x or 2.6.x series with the Wireless Extensions v15 or newer. Practically any installation you've done on a notebook during the last two years will fit those requirements. In addition, you'll need a full development environment, including GCC, if you want to compile wpa_supplicant from source.
3.4.1.1. Drivers.
The key piece of software you need is a wireless driver that supports WPA/WPA2. The following drivers are known to work:
HostAP
Prism2/2.5/3 radio chipsets (http://hostap.epitest.fi)
Madwifi
Atheros 802.11a/b/g radio chipets (http://madwifi.sourceforge.net)
Atmel
Atmel USB/PC Card chipsets (http://atmelwlandriver.sourceforge.net)
Driverloader
Windows NDIS drivers (http://www.linuxant.com/driverloader)
Ndiswrapper
Windows NDIS drivers (http://ndiswrapper.sourceforge.net)
IPW2100
Intel ipw2100 chipsets (http://ipw2100.sourceforge.net)
IPW2200
Intel ipw2200 chipsets (http://ipw2200.sourceforge.net)
Broadcom
wl.o embedded driver (http://www.linksys.com/support/gpl.asp)
While this book doesn't cover all of these drivers, see [Hack #63] for details on installing HostAP, Madwifi, and Agere drivers. [Hack #81] covers Driverloader and Ndiswrapper.
The final piece of software you will need is wpa_supplicant, available at http://hostap.epitest.fi/wpa_supplicant from Jouni Malinen, the author of the HostAP driver. Several Linux distributions have packages available, including Ubuntu, RedHat Enterprise, Fedora Core, Mandrake, and SuSE.
3.4.1.2. WPA types.
There are three main types of authentication supported within wpa_supplican:
WPA-PSK
Also called "WPA-Personal" in many consumer models of access points, WPA-PSK relies on a pre-shared key (PSK) for authentication, similar to WEP.
WPA with EAP
Also called "WPA-Enterprise" in some access points, WPA with EAP uses 802.1x to authenticate users against an authentication server such as RADIUS. (See later in this chapter [Hack #44] for details on setting up your own WPA authentication server.)
|
WPA2
Implementations are still fuzzy at the time of this writing, but WPA2 is supposed to have support for both Personal and Enterprise types of authentication.
One other primary difference between WPA and WPA2 is important to note: the required encryption level. WPA allows the use of RC4 encryption with TKIP. WPA2 mandates AES encryption for all connections. Many older radio cards and access points will not be capable of the demanding computation required for AES encryption.
3.4.2. Installing wpa_supplicant
In order for the install to proceed, you will need to have installed one of the wireless drivers that are listed in the previous section. This hack covers the install of wpa_supplicant from an Ubuntu package and compiles wpa_ supplicant from source on Fedora Core 3.
3.4.2.1. Ubuntu package.
To install wpa_supplicant on Ubuntu Linux, you'll need to configure apt. Edit /etc/apt/sources.list and uncomment the following lines:
deb http://us.archive.ubuntu.com/ubuntu hoary universe deb-src http://us.archive.ubuntu.com/ubuntu hoary universe deb http://security.ubuntu.com/ubuntu hoary-security universe deb-src http://security.ubuntu.com/ubuntu hoary-security universe
The universe repository contains packages that are not developed or supported by the Ubuntu release crew. This is where you'll find the necessary package.
To update your apt index, issue the following command:
sudo apt-get update
Once apt has finished updating the indexes, go ahead and install the package:
sudo apt-get install wpasupplicant
After the package is installed, you're ready for configuration, as discussed later in the "Configuration" section of this hack.
3.4.2.2. Fedora Core 3 compile.
If you need support for EAP-TLS, EAP-TTLS, or EAP-PEAP, make sure that you have OpenSSL installed. Most distributions have openssl available as a package, or you can get the source from http://www.openssl.org.
You'll also need a working compiler. If you included the Development Tools during the initial Fedora Core installation, you should have all the necessary pieces.
Download the source code from http://hostap.epitest.fi/wpa_supplicant. Extract the compressed tar file, and change to the newly created directory:
tar xzvf wpa_supplicant-0.3.8.tar.gz cd wpa_supplicant-0.3.8
The code doesn't use the standard ./configure script you might be used to in other open source code. Instead, you'll need to generate your own .config file based on the specific options you need. Fortunately, this is pretty straightforward. You need to include a line that specifies your wireless driver, and specify any EAP types that are required for your installation. WPA-PSK is supported by default, so no option is required.
Here is a .config file for an Atheros radio card that uses the Madwifi driver, and which needs only WPA-PSK authentication:
CONFIG_DRIVER_MADWIFI=y CONFIG_WIRELESS_EXTENSION=y
If you don't know which EAP method you need, or if you want to use multiple wireless cards, you can easily specify all of the possible options:
CONFIG_DRIVER_HOSTAP=y CONFIG_DRIVER_PRISM54=y CONFIG_DRIVER_HERMES=y CONFIG_DRIVER_MADWIFI=y CONFIG_DRIVER_ATMEL=y CONFIG_DRIVER_WEXT=y CONFIG_DRIVER_NDISWRAPPER=y CONFIG_DRIVER_BROADCOM=y CONFIG_DRIVER_IPW=y CONFIG_WIRELESS_EXTENSION=y CONFIG_EAP_MD5=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_TLS=y CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y CONFIG_EAP_GTC=y CONFIG_EAP_OTP=y CONFIG_EAP_SIM=y CONFIG_EAP_AKA=y CONFIG_EAP_PSK=y CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y
This will give you all of the possible driver and EAP combinations available.
Once you've created a .config file, compile the software with a simple make command. There is no make install, so once the compile finishes, you will need to copy the binaries to an appropriate directory; for example:
cp wpa_cli wpa_supplicant wpa_passphrase /usr/local/bin
3.4.3. Configuration
Once you've installed wpa_supplicant, you need to write a configuration file to use with network configuration specific to your connections. The author recommends using a path of /etc/wpa_supplicant.conf but the file can live anywhere you like, as long as it is readable by the system during boot.
If your network uses WPA-PSK, the included binary wpa_passphrase will be useful when you're making the necessary fields for a configuration file. Since the WPA-PSK passphrase is necessary to join your network, you must include it in the configuration file. wpa_passphrase allows you to generate a hash of the passphrase so that your clear text is not included in any readable file.
Simply call wpa_passphrase with your ESSID and passphrase:
wpa_passphrase MyNetwork testing123
The program will give you output that looks like this:
network={ ss #psk="testing123" psk=c170778beb697d9b97fd415845bf8117e2803dc3e1581e3de22d8539116b0fbd }
Copy and paste this into your configuration file, or for an easy shortcut, call wpa_passphrase and redirect the output to a file:
wpa_passphrase MyNetwork testing123 > /etc/wpa_supplicant.conf
This file is all you'll need for a basic WPA-PSK connection. Once you've tested the connection and verified everything is working, remove the commented line with your clear-text passphrase from /etc/wpa_supplicant.conf.
A more elaborate configuration file, with connections for a home WPA-PSK network and EAP-TLS for a work connection, might look like this:
#my home network network={ ss key_mgmt=WPA-PSK psk=c170778beb697d9b97fd415845bf8117e2803dc3e1581e3de22d8539116b0fbd } #my work network network={ ss scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TLS identity="joe@WORK.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" }
For more example configurations, consult the README file that comes with the source code. The most up-to-date README can also be found online through a web-based CVS checkout at http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/README?rev=HEAD&content-type=text/plain.
3.4.4. Testing and Usage
To test the configuration, make sure your radio card is active and set to the correct ESSID. Then, call wpa_supplicant with the radio card interface, the location of the configuration file, and the debug option:
wpa_supplicant iath0 c/etc/wpa_supplicant.conf -d
You will see quite a bit of debug output, more than we can reproduce here. You can verify a successful connection by using iwconfig to ensure that you can see the MAC address of your access point and then executing a ping to see if you have TCP/IP connectivity.
Once you've established a successful WPA session, you can call wpa_supplicant without debugging and place it background (daemon) mode:
wpa_supplicant -iath0 c/etc/wpa_supplicant.conf -B
These examples assume you have specified a single driver to be included in the compiled wpa_supplicant. If your .config file specifies multiple drivers during the compile, you must call wpa_supplicant with the appropriate driver; for example:
wpa_supplicant iath0 c/etc/wpa_supplicant.conf B -Dmadwifi
Here's a list of driver names you can specify:
hostap = HostAP driver (Prism2/2.5/3; also used with Linuxant DriverLoader) prism54 = Prism54.org driver (Intersil Prism GT/Duette/Indigo) hermes = Agere Systems Inc. driver (Hermes-I/Hermes-II) madwifi = MADWIFI 802.11 support (Atheros, etc.) atmel = ATMEL AT76C5XXx (USB, PCMCIA) wext = Linux wireless extensions (generic) ndiswrapper = Linux ndiswrapper broadcom = Broadcom wl.o driver ipw = Intel ipw2100/2200 driver wired = wpa_supplicant wired Ethernet driver
You'll probably want to call wpa_supplicant during the boot process, so that you don't have to call it manually each time you log in. Of course, the way to do this will vary based on your Linux distribution and your wireless card.
With a MiniPCI wireless card in Ubuntu Linux, the easiest boot setup is to modify the /etc/network/interfaces file by adding these lines:
up wpa_supplicant iath0 c/etc/wpa_supplicant.conf wB down killall wpa_supplicant
The -w command-line option is used when calling wpa_supplicant at startup. It forces WPA negotiation to wait if the wireless interface is not started yet.
On a Fedora Core system with a MiniPCI card, you'll need to modify two files. First, add this code to the /etc/sysconfig/network-scripts/ifup-wireless file:
wpa_supplicant iath0 c/etc/wpa_supplicant.conf -Bw
Then, add the following line to /etc/sysconfig/network-scripts/ifup-wireless:
killall wpa_supplicant
If that file doesn't exist, create it and make sure it is executable:
echo "killall wpa_supplicant" > /etc/sysconfig/network-scripts/ifup-wireless chmod +x /etc/sysconfig/network-scripts/ifup-wireless
Lastly, for any system in which you are using a PCMCIA wireless card, you can add the wpa_supplicant startup to the /etc/pcmcia scripts. Make the following three changes to your files.
- Any of your network schemes in /etc/pcmcia.wireless.opts should include the following:
MODE="Managed" WPA="y"
- Add this code to the end of the start action handler in /etc/pcmcia/wireless:
if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then /usr/local/bin/wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -i$DEVICE fi
- Finally, add this code to the end of the stop action handler in /etc/pcmcia/wireless:
if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then killall wpa_supplicant fi
With these changes, the PCMCIA card manager daemon will start wpa_supplicant when a card is plugged in. Since cardmgr loads at boot time, wpa_supplicant will then wait until the card is configured with a static IP or gets a DHCP address before negotiating keys with the access point.
3.4.5. Running wpa_cli
wpa_supplicant is fairly flexible, because you can configure the wpa_supplicant.conf file with multiple ESSIDs and authentication types, for any network you need. In its basic form, it does require that passwords be entered in the file, which can be a security risk.
wpa_cli is a client frontend program included with the wpa_supplicant package, with which it interacts. It can query status, change configuration, and request interactive user input.
To use wpa_cli as a non-root user in interactive mode, you need to configure wpa_supplicant by adding extra lines to the beginning of /etc/wpa_supplicant.conf. For this to work correctly, your user must be a member of the group listed:
ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=someusergroup
You can run wpa_cli as a command-line or interactive utility. The same commands are available in each mode, but there are features available in the interactive mode that the command-line mode does not share. Enter interactive mode by calling wpa_cli with no parameters.
One useful feature of interactive mode is the ability of wpa_cli to relay requests for authentication from wpa_supplicant. For example, if /etc/wpa_supplicant.conf has a listed username and certificate locations for EAP-TLS, but no password entry, wpa_supplicant will pass an authentication request to wpa_cli. The user, running wpa_cli in interactive mode, can respond like this:
CTRL-REQ-PASSWORD-1:Password needed for SSID MyWork > password 1 myworkpassword
wpa_cli will give you a lot of information about your WPA connections. You can force reassociation, change your identity, list available WPA networks, and a lot more. Here's a full list of available commands:
status = get current WPA/EAPOL/EAP status mib = get MIB variables (dot1x, dot11) help = show this usage help interface [ifname] = show interfaces/select interface level = change debug level license = show full wpa_cli license logoff = IEEE 802.1X EAPOL state machine logoff logon = IEEE 802.1X EAPOL state machine logon set = set variables (shows list of variables when run without arguments) pmksa = show PMKSA cache reassociate = force reassociation reconfigure = force wpa_supplicant to re-read its configuration file preauthenticate = force preauthentication identity = configure identity for an SSID password = configure password for an SSID pin = configure pin for an SSID otp = configure one-time-password for an SSID bssid = set preferred BSSID for an SSID list_networks = list configured networks terminate = terminate wpa_supplicant quit = exit wpa_cli
WPA is a vastly improved method of securing your wireless networks. It is widely available in just about any consumer or enterprise-grade Wi-Fi equipment, so there is no reason to keep exposing your personal or company data to possible intrusion. If you have wireless networks that are still using WEP, you don't really have any protection at all.