Howto: H4x0roam with netcfg and encrypted wpa supplicant config
Note: outdated configuration, needs anonymous identity
This howto was written with Archlinux in mind, but it should also work on any other distro. Before trying this, you should make sure that netcfg, openssl, and wpa_supplicant are installed on your machine. Execute all shell commands as root unless specified otherwise.
The configuration file for wpa_supplicant is going to be stored only in an encrypted form on the hard drive, as it contains you Hackerspace account credentials in clear text. The decrypted version of the config will *only* be stored in a ramdisk, which is going to be automatically mounted and dismounted upon starting and stopping the h4x0roam network profile. This should provide an acceptable level of security even on computers which do not have an encrypted hard drive (for example due to a slow CPU). Please note, however, that this does *not* offer any protection against keyloggers or other malware intercepting your encryption password or your syn2cat credentials on your local computer. Setting up an HDD password might be a solution to (at least partly) mitigate the risk of attacks conducted by casual attackers with physical access to your machine.
Let's get started:
Create the directory for the ramdisk:
mkdir -p /etc/network.d/secure/ramdisks/h4x0roam chmod -R 0700 /etc/network.d/secure
Create the network profile as /etc/network.d/h4x0roam with the following content:
CONNECTION='wireless' DESCRIPTION='A secure wpa_supplicant configuration based wireless connection' INTERFACE='wlan0' SECURITY='wpa-config' PRE_UP="mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/ ; openssl enc -d -aes-256-cbc -in /etc/network.d/secure/h4x0roam.aes -out /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam" PRE_DOWN="cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam ; umount h4x0roam-ramdisk" WPA_CONF='/etc/network.d/secure/ramdisks/h4x0roam/h4x0roam' IP='dhcp'
Now we temporarily mount a ramdisk where we will create the configuration file for wpa_supplicant:
mount -t ramfs h4x0roam-ramdisk /etc/network.d/secure/ramdisks/h4x0roam/
Create a file /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam with the following content (you'll obviously have to fill in your own username and password):
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="h4x0roam"
bssid=00:21:29:E9:D1:AA
key_mgmt=WPA-EAP
eap=PEAP
identity="YOUR HACKERSPACE USERNAME"
password="YOUR HACKERSPACE PASSWORD"
phase2="auth=MSCHAPV2"
ca_cert="/etc/ssl/h4x0roam/combined-ca.pem"
client_cert="/etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt"
}
Save an encrypted version of the file to /etc/network.d/secure/h4x0roam.aes (remember the encryption password!) and dismount the ramdisk:
openssl enc -aes-256-cbc -salt -in /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam -out /etc/network.d/secure/h4x0roam.aes chmod 0600 /etc/network.d/secure/h4x0roam.aes cat /etc/network.d/secure/h4x0roam.aes > /etc/network.d/secure/ramdisks/h4x0roam/h4x0roam umount /etc/network.d/secure/ramdisks/h4x0roam/
Install h4x0roam's SSL certificate chain:
mkdir -p /etc/ssl/h4x0roam wget http://www.hackerspace.lu/certs/syn2catCA.crt -O /etc/ssl/h4x0roam/syn2catCA.crt wget http://www.hackerspace.lu/certs/syn2catInfr.crt -O /etc/ssl/h4x0roam/syn2catInfr.crt wget http://www.hackerspace.lu/certs/lusitania.int.hackerspace.lu_infr.crt -O /etc/ssl/h4x0roam/lusitania.int.hackerspace.lu_infr.crt cat /etc/ssl/h4x0roam/syn2catInfr.crt /etc/ssl/h4x0roam/syn2catCA.crt > /etc/ssl/h4x0roam/combined-ca.pem chmod 0644 /etc/ssl/h4x0roam/*
Now you should be ready to go, so let's test your new network profile:
netcfg h4x0roam
