Wpa supplicant

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Wpa supplicant and the translation is 56% complete.
Outdated translations are marked like this.
Other languages:

Warning: Display title "wpa_supplicant" overrides earlier display title "Wpa supplicant".

wpa_supplicant 是 一个处理网络认证的 wifi 请求者程序(supplicant)。

安装

作为前提条件,无线支持可能需要在内核中激活在IEEE_802.11中介绍的内容,以及必要的 无线设备驱动[1]

USE 标记

USE flags for net-wireless/wpa_supplicant IEEE 802.1X/WPA supplicant for secure wireless transfers

ap Add support for access point mode
broadcom-sta Flag to help users disable features not supported by broadcom-sta driver
dbus Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc)
eap-sim Add support for EAP-SIM authentication algorithm
eapol-test Build and install eapol_test binary
fasteap Add support for FAST-EAP authentication algorithm
fils Add support for Fast Initial Link Setup (802.11ai)
hs2-0 Add support for 802.11u and Passpoint for HotSpot 2.0
macsec Add support for wired macsec
mbo Add support Multiband Operation
mesh Add support for mesh mode
p2p Add support for Wi-Fi Direct mode
privsep Enable wpa_priv privledge separation binary
ps3 Add support for ps3 hypervisor driven gelic wifi
qt5 Add support for the Qt 5 application and UI framework
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
smartcard Add support for smartcards
tdls Add support for Tunneled Direct Link Setup (802.11z)
tkip Add support for WPA TKIP (deprecated due to security flaws in 2009)
uncommon-eap-types Add support for GPSK, SAKE, GPSK_SHA256, IKEV2 and EKE
wep Add support for Wired Equivalent Privacy (deprecated due to security flaws in 2004)
wimax Add support for Wimax EAP-PEER authentication algorithm
wps Add support for Wi-Fi Protected Setup

Emerge

检查了 USE 标记之后,使用 Portage 的 emerge 命令安装 net-wireless/wpa_supplicant

root #emerge --ask net-wireless/wpa_supplicant

Direct connect

Quick Connect

警告
To not store any clear text password in history, history is disabled. This should be used temporarily to test that it is possible to connect to the access point.
root #set +o history
root #wpa_supplicant -i wlp0s20f3 -c <(wpa_passphrase ssid password) &
root #set -o history
附注
Process output when connect direct: 'wpa_supplicant -iwlan0 -c /dev/fd/63

Connection for two interfaces

wpa_supplicant can control multiple interfaces (radios) either by running one process for each interface separately or by running just one process and list of options at command line. Each interface is separated with -N argument. Following command would start wpa_supplicant for two interfaces

user $wpa_supplicant -c wpa1.conf -i wlan0 -D nl80211 -N -c wpa2.conf -i ath0 -D wext

配置

文件

无线网络接口设置

wpa_supplicant includes a tool to quickly write a network block from the command line for pre-shared key (WPA-PSK aka password) networks, wpa_passphrase.

root #wpa_passphrase ssid password >> /etc/wpa_supplicant/wpa_supplicant.conf
附注
When password is stored as hash instead of clear text it is required to add key_MGMT=WPA-EAP and eap=PEAP to the configuration file that is not generated by default

Setup for wireless interface

对于单个无线网络接口的使用仅需一个配置文件。

文件 /etc/wpa_supplicant/wpa_supplicant.conf
# 允许 “wheel” 组中的用户控制 wpa_supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
 
# 使 wpa_gui / wpa_cli 对此文件可写
update_config=1

要允许非特权用户使用 wpa_gui / wpa_cli 控制连接,请确保用户在 wheel 中。

这个文件默认不存在;可以从 /usr/share/doc/${P}/wpa_supplicant.conf.bz2 复制一个有据可查的模板配置文件,其中变量 P 的值是名称和当前出现的 wpa_supplicant 的版本:

root #bzless /usr/share/doc/${P}/wpa_supplicant.conf.bz2 > /etc/wpa_supplicant/wpa_supplicant.conf

wpa_supplicant 的 WPA2

连接到任何为YourSSID提供服务的无线网络接入点

文件 /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
#ap_scan=0
#update_config=1
 
network={
        ssid="YourSSID"
        psk="your-secret-key"
        scan_ssid=1
        proto=RSN
        key_mgmt=WPA-PSK
        group=CCMP TKIP
        pairwise=CCMP TKIP
        priority=5
}

Configuration file with dynamic WEP keys

文件 /etc/wpa_supplicant/wpa_supplicant_wired.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
	ssid="1x-test"
	scan_ssid=1
	key_mgmt=IEEE8021X
	eap=TLS
	identity="user@example.com"
	ca_cert="/etc/cert/ca.pem"
	client_cert="/etc/cert/user.pem"
	private_key="/etc/cert/user.prv"
	private_key_passwd="password"
	eapol_flags=3
}

Allows more or less all configuration modes

警告
The configuration options are used based on what security policy is used in the selected SSID. This is mostly for testing and is not recommended for normal use
文件 /etc/wpa_supplicant/wpa_supplicant_wired.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
	ssid="example"
	scan_ssid=1
	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
	pairwise=CCMP TKIP
	group=CCMP TKIP WEP104 WEP40
	psk="very secret passphrase"
	eap=TTLS PEAP TLS
	identity="user@example.com"
	password="foobar"
	ca_cert="/etc/cert/ca.pem"
	client_cert="/etc/cert/user.pem"
	private_key="/etc/cert/user.prv"
	private_key_passwd="password"
	phase1="peaplabel=0"
	ca_cert2="/etc/cert/ca2.pem"
	client_cert2="/etc/cer/user.pem"
	private_key2="/etc/cer/user.prv"
	private_key2_passwd="password"
}


设置有线网络 802.1X

可以通过 wpa_supplicant 处理有线网络连接,这对于使用 802.1X 的网络很有用。创建包含有线网络配置的单独配置文件。下面的示例使用证书进行身份验证,请查看 wpa_supplicant.conf 手册页以获取其他方法的示例。

附注
This can be used with wired or roboswitch interface (-Dwired or -Droboswitch on command line)
文件 /etc/wpa_supplicant/wpa_supplicant_wired.conf
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
fast_reauth=1
 
network={
	key_mgmt=IEEE8021X
	eap=TLS
	identity="COMPUTERAACT$@DOMAIN"
	ca_cert="/etc/wpa_supplicant/ca.pem"
	client_cert="/etc/wpa_supplicant/COMPUTERACCT.pem"
	private_key="/etc/wpa_supplicant/COMPUTERAACT.key"
	private_key_passwd="secret_password"
	eapol_flags=0
}

由于配置文件包含敏感信息,相应需要 chmod 操作。

root #chmod 600 /etc/wpa_supplicant/wpa_supplicant_wired.conf

wpa_supplicant 需要一些额外的参数才能将上述配置应用于有线网络接口(eth0) 请注意,以下 wpa_supplicant 参数假设 wpa_supplicant 版本 >=2.6-r2 (-M, CONFIG_MATCH_IFACE=y)

文件 /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

通过从 /etc/init.d 中删除接口并启用 wpa_supplicant 守护进程,让 wpa_supplicant 处理接口的启动/停止

root #/etc/init.d/net.eth0 stop
root #/etc/init.d/net.wlan0 stop
root #rm /etc/init.d/net.wlan0 /etc/init.d/net.eth0
root #rc-update add wpa_supplicant
root #/etc/init.d/wpa_supplicant start

通过 wpa_cli 查看有线网络接口的状态

Connect directly to the wireless access point from the command line


root #wpa_cli
wpa_cli v2.8
Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors
 
This software may be distributed under the terms of the BSD license.
See README for more details.
 
 
Selected interface 'p2p-dev-wlan0'
 
Interactive mode
 
> interface eth0
Connected to interface 'eth0.
> status
bssid=00:00:00:00:00:00
freq=0
ssid=
id=0
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
ip_address=10.10.10.100
p2p_device_address=bb:bb:bb:bb:bb:bb
address=aa:aa:aa:aa:aa:aa
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1
EAP TLS cipher=ECDHE-RSA-AES256-SHA
...

设置网络管理器

重要
网络管理器中列出的解决方案通常不能一起使用。确保一次仅运行其中一项服务。启动多个网络管理服务将导致不可预期的结果

请务必选择相应的设置。

Be sure to choose the corresponding setup.

设置为 dhcpcd 的网络管理器

First follow the setup guide for dhcpcd.

Emerge wpa_supplicant (Version >=2.6-r2 is needed in order to get the CONFIG_MATCH_IFACE option added in April 2017):

root #emerge --ask net-wireless/wpa_supplicant

Using OpenRC

Complete its conf.d file with the -M option for the wireless network interface:

文件 /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

In case authentication for the wired interface is needed, this configuration file should look like:

文件 /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

With the configuration done, run it as a service:

root #rc-update add wpa_supplicant default
root #rc-service wpa_supplicant start

Using Systemd

Systemd allows a simpler per-device setup without needing to create the above conf.d files. As explained under wpa_supplicant item in the Native services section, a service symlink such as wpa_supplicant@wlan0.service looks for a separate configuration file to manage the device wlan0 in this case.

To configure a specific device this way, first copy or rename the /etc/wpa_supplicant/wpa_supplicant.conf file as /etc/wpa_supplicant/wpa_supplicant-DEVNAME.conf where DEVNAME should be the name of the device, such as wlan0.

Then, navigate to /etc/systemd/system/multi-user.target.wants and create the symlink:

root #ln -s /lib/systemd/system/wpa_supplicant@.service wpa_supplicant@DEVNAME.service

where DEVNAME is same device name as in the conf file above.

重要
Note the @ signs on both arguments in the symlink step.

Test the system:

root #systemctl daemon-reload
root #systemctl start wpa_supplicant@DEVNAME
root #systemctl status wpa_supplicant@DEVNAME

In case the deprecated WEXT driver is needed, changing the wireless driver can help resolve cases where it associates then immediately disconnects with reason 3. Run wpa_supplicant -h to see a list of the available drivers that were built at compile-time.

文件 /etc/conf.d/wpa_supplicant将驱动程序设置为 wext
wpa_supplicant_args="-D wext"

在Gentoo 中设置 net.* 脚本

告诉网络脚本使用 wpa_supplicant:

文件 /etc/conf.d/net
modules_wlan0="wpa_supplicant"
config_wlan0="dhcp"

完成下面的配置后,最好更改权限,确保使用计算机的任何人都不能以明文形式查看WiFi密码:[2]

root #chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf

Setup for NetworkManager

NetworkManager configured with wpa_supplicant as WiFi backend is able to use D-Bus to start wpa_supplicant when needed. Therefore it is recommended to keep the wpa_supplicant service itself stopped at boot time.

使用

使用 wpa_gui

使用 wpa_supplicant 的最简单方法是使用其名为 wpa_gui 的接口。要启用它,请启用 qt5 USE 标志来构建 wpa_supplicant。

使用 wpa_cli

wpa_supplicant 也有一个命令行用户界面。输入 wpa_cli 以启动其交互模式。在此提示下输入 help 将列出可用的命令(单击“Expand”以查看下面 wpa_cli 命令的输出):

user $wpa_cli
wpa_cli v2.5
 Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors
 
 This software may be distributed under the terms of the BSD license.
 See README for more details.
 
 
 Selected interface 'wlan0'
 
 Interactive mode
 
 > scan
 OK
 > scan_results
 bssid / frequency / signal level / flags / ssid
 01:23:45:67:89:ab       2437    0       [WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]    hotel-free-wifi
 > add_network
 0
 > set_network 0 ssid "hotel-free-wifi"
 OK
 > set_network 0 psk "password"
 OK
 > enable_network 0
 OK
 <3>CTRL-EVENT-SCAN-RESULTS 
 <3>WPS-AP-AVAILABLE 
 <3>Trying to associate with 01:23:45:67:89:ab (SSID='hotel-free-wifi' freq=2437 MHz)
 <3>Associated with 01:23:45:67:89:ab
 <3>WPA: Key negotiation completed with 01:23:45:67:89:ab [PTK=CCMP GTK=TKIP]
 <3>CTRL-EVENT-CONNECTED - Connection to 01:23:45:67:89:ab completed [id=0 id_str=]
 > save_config 
 OK
 > quit

For switching to another Wi-Fi:

user $wpa_cli
wpa_cli v2.5
 Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors
 
 This software may be distributed under the terms of the BSD license.
 See README for more details.
> list_networks
network id / ssid / bssid / flags
0	TAMO	any	
1	ORBI705	any	
2	ORBI	any	
3	Tangerine	any	
4	271	any	
5	POCO X3 Pro	any	
6	Orbi Guest	any	
7	hackerspace	any	
8	HUAWEI-25 a-2	any	
9	A1-13	any	
 
> select_network 1

更多有关与如何连接的详细信息,可以在 Arch Linux Wiki 中找到。[3]

手动编辑

当然,/etc/wpa_supplicant/wpa_supplicant.conf 配置文件也能手动编辑。但是,如果计算机需要连接到许多不同的接入点,这会很耗时费力。

示例可以在 man 5 wpa_supplicant.conf/usr/share/doc/wpa_supplicant-2.4-r3/wpa_supplicant.conf.bz2 中找到。

文件 /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
ap_scan=1
 
network={
        bssid=00:50:17:31:1a:11
        ssid="YourSSID"
        psk="your-secret-key"
        scan_ssid=1
        proto=RSN
        key_mgmt=WPA-PSK
        group=CCMP TKIP
        pairwise=CCMP TKIP
        priority=5
}

自动连接到任何不安全的网络

文件 /etc/wpa_supplicant/wpa_supplicant.conf
network={
        key_mgmt=NONE
        priority=-999
}

故障排除

如果它不能像你预期的那样运行,请尝试下面的一些操作并分析输出。

检索已知 bug

Check USE Flags

Two use flags are disabled by default for older wifi protocols due to known security flas: tkip and wep. Enable those use flags for older wifi routers and re-install wpa_supplicant.

rfkill: WLAN soft blocked

If rfkill is blocking the interface, first find the interface number with:

user $rfkill list
0: ideapad_wlan: Wireless LAN
	Soft blocked: yes
	Hard blocked: no
1: ideapad_bluetooth: Bluetooth
	Soft blocked: yes
	Hard blocked: no
2: hci0: Bluetooth
	Soft blocked: yes
	Hard blocked: no
3: phy0: Wireless LAN
	Soft blocked: yes
	Hard blocked: no

Then the interface can be unblocked with:

root #rfkill unblock 3

以调试模式运行 wpa_supplicant

区别已停止所有运行的请求者 (supplicant) 实例:

root #killall wpa_supplicant

类似以下选项可用于调试(单击 "Expand" 以查看下面的输出):

root #wpa_supplicant -Dnl80211 -iwlan0 -C/var/run/wpa_supplicant/ -c/etc/wpa_supplicant/wpa_supplicant.conf -dd
wpa_supplicant v2.2
random: Trying to read entropy from /dev/random
Successfully initialized wpa_supplicant
Initializing interface 'wlp8s0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'nl80211' ctrl_interface '/var/run/wpa_supplicant' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='DIR=/var/run/wpa_supplicant GROUP=wheel'
update_config=1
Line: 6 - start of a new network block

启用日志

在 Gentoo 中启用 net.* 脚本日志

文件 /etc/conf.d/net在Gentoo 中设置 net.* 脚本
modules_wlan0="wpa_supplicant"
wpa_supplicant_wlan0="-Dnl80211 -d -f /var/log/wpa_supplicant.log"
config_wlan0="dhcp"

现在,在一个终端中使用 tail 命令来监视输出并在另一个终端中重新启动 net.wlan0 设备:

root #tail -f /var/log/wpa_supplicant.log
root #/etc/init.d/net.wlan0 restart

参考

另请参阅

  • Iwd — an up-and-coming wireless daemon for Linux.

外部资源