6

I am attempting to connect to a WPA2 network with a bash script. The usual approach is something along these lines:

wpa_passphrase SSID PASSWORD > CONFIG_FILE
wpa_supplicant -B -iwlan0 -cCONFIG_FILE -Dwext

However, I do not want the password to persist in a file. Is there a similar approach to configure a WPA2 network without using a configuration file (even if only temporary), similar to how open and WEP networks can be configured with a single command, iwconfig wlan0 essid SSID key s:PASSWORD?

Exudes
  • 63

1 Answers1

4

Starting with the ideas already hinted at in my comment I would like to offer an answer. The answer is tested to work in the specific case of using a combination of wpa_supplicant (version v2.6), wpa_passphrase, GNU bash (version 4.4.23), and linux 4.18.

I expect that the solution offered here, with the purpose to avoid some remaining passphrase file to be adoptable in a more general posix way, however i have only tested my arch linux setup available for experimenting.

I have run 

strace wpa_supplicant -i <WIFIINTERFACE> -c <(wpa_passphrase <SSID> <PASSPHRASE>) 2>&1 | less

with the actual parameters of my wifi network. And the connection got established. Also browsing the stace I find this:

execve("/usr/bin/wpa_supplicant", ["wpa_supplicant", "-i", "wlp0s29u1u2", "-c", "/dev/fd/63"], 0x7fffc7b0ad10 /* 39 vars */) = 0
[....]
openat(AT_FDCWD, "/dev/fd/63", O_RDONLY) = 3
fstat(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
read(3, "network={\n\tssid=\"Oscarone\"\n\t#psk"..., 4096) = 116
read(3, "", 4096)                       = 0
close(3)                                = 0
socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3
bind(3, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=0x000001}, 12) = 0
[....]

which should how the process substituion ( the command <(other command) ) thing worked out. It can be seen that wpa_supplicant accessed the pipe at /dev/fd/63 and read the configuration, and then closed it further, after closing the fd 3, the file-descripter is reusing directly for opening a socket.

I douple checked via ls -ialh /proc/<pid of wpa_supplicant>/3 and it reports: 571637 lrwx------ 1 root root 64 Aug 23 20:49 3 -> 'socket:[571092]' meaning that the only temporary accesibility of the passphrase (via the fifo at /dev/fd/53 opened as fd 3 has been indeed closed and now is still the socket as the strace informed about correctly.

It also seems that the information about this way of creating a "file-less" "less-file" command line for wpa_supplicant is discussed in the arch linux wiki ( https://wiki.archlinux.org/index.php/WPA%20supplicant )

I also want to point out the obvious. Since you input the password in the shell make sure that it will not be recorded in the shell history hence do something akin to:

set +o history
wpa_supplicant -i INTERFACE -c <(wpa_passphrase SSID PASSPHRASE) &
set -o history

(as laid out here https://unix.stackexchange.com/a/10923/24394)

humanityANDpeace
  • 14,392
  • 1
  • 1 Want to add that the process substitution method above only works as root, the process substitution will fail when using sudo.
    • – 111--- Nov 13 '18 at 22:21