1

I notice WPA_GUI has saved my WiFi password to /etc/wpa_supplicant/wpa_supplicant.conf. The unit I'm trying to set up is a shared use system on enterprise WiFi that logs on with a user's account, so leaking the password between users is a very bad thing. There's no option in WPA_GUI to not save the password.

How can I set the system up to force each user to give their username/password to connect, and not have them stored? Note I would prefer to avoid using actual corresponding user accounts on the system.

Improve this question
8
  • @goldilocks I'm not nearly so worried about reading out memory, but one user being able to read all previous users' passwords is much more serious. With respect to your edits, just to be clear, are you saying I could have a seperate account with access to GPIO and wifi but no sudo? Then whoever had root (i.e. me) could still read the passwords if WPA_GUI wrote them to the file, and if it didn't, then presumably wpa_supplicant couldn't connect Commented Nov 13, 2015 at 13:23
  • Even if there's only one physical user at a time, it would not be impossible for someone to leave something on the system to grab passwords later. Of course, most people are probably savvy enough to recognize that this kind of setup is not all that secure -- just beware if it is very important, you need to do some hard thinking about it. Commented Nov 13, 2015 at 13:27
  • @goldilocks there are many ways to grab passwords with root access, some of which aren't fundamentally different from ones I played with in the DOS days. There's a big gap between those and reading a file which is stored anyway, not least in responsibility. I don't have to prevent people installing/writing malware, As the default behaviour approximates keylogging I do have to avoid that./ Commented Nov 13, 2015 at 13:34
  • I'm not talking about root access. I'm presuming this user doesn't have root access, and my point about using the same account for everyone is it makes it drop dead easy for anyone to do anything they want to anyone else using the same account. They would barely even have to be able to shell script. You could keylog with 2 lines of .sh under X. If it's not that important, who cares, but you were warned. Commented Nov 13, 2015 at 13:40
  • 1
    @goldilocks well at the moment they have sudo, though you've pointed out a way round that. Commented Nov 13, 2015 at 13:55

1 Answer 1

Reset to default
0

We ended up using a wired network -- at the same time as I was failing to get NetworkManager/nm-applet working we got permission to plug the Pis in to the network. However I know from Xubuntu that nm-applet can connect to WPA2/PEAP and prompt for a password every time, so this should be the solution.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.