Linux on Your WLAN: Configure WPA
Last week we successfully navigated the thorny thickets of wireless security standards and rampant milling acronym herds. Today we shall puncture common wireless security myths, and learn how to configure WPA Personal on both Debian clients (and its many offshoots) and Red Hat (and its many spawn). Access points are so diverse I'm afraid you're stuck with the vendor's manual for configuring them.
Silly Wireless Myths
I wish this were a classroom, so we could write these on balloons and throw darts at them. You may do this anyway; it's easy and fun.
- Hide your SSID: This one is dopey, yet it persists. The Service Set Identifier (SSID) was never meant to be any sort of security device. It's just a name, and it's easily discoverable. Hiding it just inconveniences your users. It doesn't even slow down an attacker.
- Filter on MAC addresses: Stab this one between the head, please. Can there possibly be a network admin who does not know how easy it is to spoof MAC addresses? Hint: on Linux use ifconfig, iproute, or the configuration files for your network interfaces. On Windows there are a number of third-party utilities, or you can edit the Registry, or on XP just use the normal interface configuration wizard.
- Use a Weak Signal: No, really, some folks advocate this one in all seriousness. The idea being that inside some magical geographical boundary all hosts are trusted, and outside that line are big scary evil crackers waiting to pounce on stray radio waves. Really. I am not making this up. Even if there is an inner circle of completely trusted users, radio waves cannot be confined like dogs in a pen. You have no way of knowing how far they are going to travel.
There are many others, but for some reason these three persist. Please treat them with all the mockery they deserve.
Setting Up WPA Personal
Mocking is fun, but even more satisfying is doing things the right way. Setting up WPA-PSK (Pre-Shared Key), or WPA Personal is a nice solution for home and small business networks that don't want to hassle with an authentication server. Its main drawback is using a shared key, so if there are any generous blabbermouths on your WLAN who want to share your WLAN with their friends, you might want to restrict them to a wired host. The advantages are is it's easy, even across mixed environments, and it's secure, as long you don't have blabbermouths.
On Linux you need wpa_supplicant. On Debian and its offspring it's wpasupplicant. The configuration file is usually /etc/wpa_supplicant.conf.
The first step is to generate a strong passphrase. This is also your shared key. (If these things did not have multiple names you would not need me to clear the confusion, and then I would have to work at Wal-Mart.) A WPA2 key can be up to 63 characters long. You might as well use all of them, because the encrypted key is going to sit inside /etc/wpa_supplicant.conf; you won't be typing it every time you want to login. Use the wpa_passphrase command. You need your WLAN's SSID and a bit of imagination:
$ wpa_passphrase myssid waylongkeythelongerthebetterbecausewecareaboutsecurityalot
In reality that is not a good passphrase. It should not contain any dictionary words, and should be a combination of letters, numbers, and punctuation marks.
Copy your wpa_passphrase output into /etc/wpa_supplicant.conf. This exact same passphrase must also be on your access point and all other WLAN clients. Test your ability to connect, and once that's verified delete the line starting with "#psk=." Because, obviously, storing your passphrase in cleartext is not a good security practice. Test it manually with these commands, using your own network interface name:
# iwconfig eth1 essid "myssid"
# ifup eth1
# wpa_supplicant ñieth1 -c/etc/wpa_supplicant.conf
There are no spaces between the option flags (-i and -c) and the options. Then verify that your interface picked up an IP and ESSID:
$ iwconfig eth1
Finally, ping a few sites to see if you have connectivity. And that's all there is to it.
Starting All This Stuff AutomaticallyYour users probably don't want to enter all these commands every time they want to connect to your network. So, if you're feeling benevolent, you can set everything up to start at boot. On Debian, Ubuntu, and the vast herds of other Debian-based distributions, edit /etc/network/interfaces:
iface eth1 inet dhcp
up wpa_supplicant -ieth1 -c/etc/wpa_supplicant.conf -Bw
down killall wpa_supplicant
-B forks the wpa_supplicant into the background, and -w tells it to do nothing unless the interface is up.
On Fedora and Red Hat, et al, configure your wireless card in the usual manner in /etc/sysconfig/network-scripts/ifcg-eth1, or whatever file belongs to the wireless interface, using the real interface name and MAC address:
Then add these lines to the end of /etc/sysconfig/network-scripts/ifup-wireless, again using your own interface name:
wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -Bw
These are simple setups that don't manage multiple locations or do any fancy hotplug management, but they work fine for single locations. We'll cover roaming, multiple profiles, and hotplug interfaces in future installments.
Rolling Out Masses of Keys
Security gurus advise changing shared keys periodically. Doing it manually is less than fun. Using cfengine is one option, though that's a big hammer to use on a little nail. Your access point might have a utility to do this, so look there first.
If you already have an authentication server, like a RADIUS server, you've already done the hard part, so we'll look at how to set up WPA Enterprise in a future howto.