Wpa supplicant
Warning: Display title "wpa_supplicant" overrides earlier display title "Wpa supplicant".
wpa_supplicant 是 一个处理网络认证的 wifi 请求者程序(supplicant)。
安装
作为前提条件,无线支持可能需要在内核中激活在IEEE_802.11中介绍的内容,以及必要的 无线设备驱动。[1]
USE 标记
USE flags for net-wireless/wpa_supplicant IEEE 802.1X/WPA supplicant for secure wireless transfers
ap
|
Add support for access point mode |
broadcom-sta
|
Flag to help users disable features not supported by broadcom-sta driver |
crda
|
Use net-wireless/crda for regulatory domain loading instead of in-kernel (4.15+) support |
dbus
|
Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc) |
eap-sim
|
Add support for EAP-SIM authentication algorithm |
eapol-test
|
Build and install eapol_test binary |
fasteap
|
Add support for FAST-EAP authentication algorithm |
fils
|
Add support for Fast Initial Link Setup (802.11ai) |
hs2-0
|
Add support for 802.11u and Passpoint for HotSpot 2.0 |
macsec
|
Add support for wired macsec |
mbo
|
Add support Multiband Operation |
mesh
|
Add support for mesh mode |
p2p
|
Add support for Wi-Fi Direct mode |
privsep
|
Enable wpa_priv privledge separation binary |
ps3
|
Add support for ps3 hypervisor driven gelic wifi |
qt5
|
Add support for the Qt 5 application and UI framework |
readline
|
Enable support for libreadline, a GNU line-editing library that almost everyone wants |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
smartcard
|
Add support for smartcards |
tdls
|
Add support for Tunneled Direct Link Setup (802.11z) |
tkip
|
Add support for WPA TKIP (deprecated due to security flaws in 2009) |
uncommon-eap-types
|
Add support for GPSK, SAKE, GPSK_SHA256, IKEV2 and EKE |
wep
|
Add support for Wired Equivalent Privacy (deprecated due to security flaws in 2004) |
wimax
|
Add support for Wimax EAP-PEER authentication algorithm |
wps
|
Add support for Wi-Fi Protected Setup |
Emerge
检查了 USE 标记之后,使用 Portage 的 emerge 命令安装 net-wireless/wpa_supplicant:
root #emerge --ask net-wireless/wpa_supplicant配置
文件
无线网络接口设置
对于单个无线网络接口的使用仅需一个配置文件。
/etc/wpa_supplicant/wpa_supplicant.conf# 允许 “wheel” 组中的用户控制 wpa_supplicant ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel # 使 wpa_gui / wpa_cli 对此文件可写 update_config=1
要允许非特权用户使用 wpa_gui / wpa_cli 控制连接,请确保用户在 wheel 组 中。
这个文件默认不存在;可以从 /usr/share/doc/${P}/wpa_supplicant.conf.bz2 复制一个有据可查的模板配置文件,其中变量 P 的值是名称和当前出现的 wpa_supplicant 的版本:
root #bzless /usr/share/doc/${P}/wpa_supplicant.conf.bz2 > /etc/wpa_supplicant/wpa_supplicant.conf设置有线网络 802.1X
可以通过 wpa_supplicant 处理有线网络连接,这对于使用 802.1X 的网络很有用。创建包含有线网络配置的单独配置文件。下面的示例使用证书进行身份验证,请查看 wpa_supplicant.conf 手册页以获取其他方法的示例。
/etc/wpa_supplicant/wpa_supplicant_wired.confctrl_interface=/var/run/wpa_supplicant eapol_version=1 ap_scan=0 fast_reauth=1 network={ key_mgmt=IEEE8021X eap=TLS identity="COMPUTERAACT$@DOMAIN" ca_cert="/etc/wpa_supplicant/ca.pem" client_cert="/etc/wpa_supplicant/COMPUTERACCT.pem" private_key="/etc/wpa_supplicant/COMPUTERAACT.key" private_key_passwd="secret_password" eapol_flags=0 }
由于配置文件包含敏感信息,相应需要 chmod 操作。
root #chmod 600 /etc/wpa_supplicant/wpa_supplicant_wired.confwpa_supplicant 需要一些额外的参数才能将上述配置应用于有线网络接口(eth0) 请注意,以下 wpa_supplicant 参数假设 wpa_supplicant 版本 >=2.6-r2 (-M, CONFIG_MATCH_IFACE=y)
/etc/conf.d/wpa_supplicantwpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -M -c/etc/wpa_supplicant/wpa_supplicant.conf"
通过从 /etc/init.d 中删除接口并启用 wpa_supplicant 守护进程,让 wpa_supplicant 处理接口的启动/停止
root #/etc/init.d/net.eth0 stop
root #/etc/init.d/net.wlan0 stop
root #rm /etc/init.d/net.wlan0 /etc/init.d/net.eth0
root #rc-update add wpa_supplicant
root #/etc/init.d/wpa_supplicant start
通过 wpa_cli 查看有线网络接口的状态
root #wpa_cli
wpa_cli v2.8 Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Selected interface 'p2p-dev-wlan0' Interactive mode > interface eth0 Connected to interface 'eth0. > status bssid=00:00:00:00:00:00 freq=0 ssid= id=0 mode=station pairwise_cipher=NONE group_cipher=NONE key_mgmt=IEEE 802.1X (no WPA) wpa_state=COMPLETED ip_address=10.10.10.100 p2p_device_address=bb:bb:bb:bb:bb:bb address=aa:aa:aa:aa:aa:aa Supplicant PAE state=AUTHENTICATED suppPortStatus=Authorized EAP state=SUCCESS selectedMethod=13 (EAP-TLS) eap_tls_version=TLSv1 EAP TLS cipher=ECDHE-RSA-AES256-SHA ...
设置网络管理器
网络管理器中列出的解决方案通常不能一起使用。确保一次仅运行其中一项服务。启动多个网络管理服务将导致不可预期的结果!
请务必选择相应的设置。
设置为 dhcpcd 的网络管理器
First follow the setup guide for dhcpcd.
Emerge wpa_supplicant (Version >=2.6-r2 is needed in order to get the CONFIG_MATCH_IFACE option added in April 2017):
root #emerge --ask net-wireless/wpa_supplicantUsing OpenRC
Complete its conf.d file with the -M option for the wireless network interface:
/etc/conf.d/wpa_supplicantwpa_supplicant_args="-B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"
In case authentication for the wired interface is needed, this configuration file should look like:
/etc/conf.d/wpa_supplicantwpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"
With the configuration done, run it as a service:
root #rc-update add wpa_supplicant defaultroot #rc-service wpa_supplicant startUsing Systemd
Systemd allows a simpler per-device setup without needing to create the above conf.d files. As explained under wpa_supplicant item in the Native services section, a service symlink such as wpa_supplicant@wlan0.service looks for a separate configuration file to manage the device wlan0 in this case.
To configure a specific device this way, first copy or rename the /etc/wpa_supplicant/wpa_supplicant.conf file as /etc/wpa_supplicant/wpa_supplicant-DEVNAME.conf where DEVNAME should be the name of the device, such as wlan0.
Then, navigate to /etc/systemd/system/multi-user.target.wants and create the symlink:
root #ln -s /lib/systemd/system/wpa_supplicant@.service wpa_supplicant@DEVNAME.servicewhere DEVNAME is same device name as in the conf file above.
Note the @ signs on both arguments in the symlink step.
Test the system:
root #systemctl daemon-reload
root #systemctl start wpa_supplicant@DEVNAME
root #systemctl status wpa_supplicant@DEVNAME
In case the deprecated WEXT driver is needed, changing the wireless driver can help resolve cases where it associates then immediately disconnects with reason 3. Run wpa_supplicant -h to see a list of the available drivers that were built at compile-time.
/etc/conf.d/wpa_supplicant将驱动程序设置为 wextwpa_supplicant_args="-D wext"
在Gentoo 中设置 net.* 脚本
告诉网络脚本使用 wpa_supplicant:
/etc/conf.d/netmodules_wlan0="wpa_supplicant" config_wlan0="dhcp"
完成下面的配置后,最好更改权限,确保使用计算机的任何人都不能以明文形式查看WiFi密码:[2]
root #chmod 600 /etc/wpa_supplicant/wpa_supplicant.confSetup for NetworkManager
NetworkManager configured with wpa_supplicant as WiFi backend is able to use D-Bus to start wpa_supplicant when needed. Therefore it is recommended to keep the wpa_supplicant service itself stopped at boot time.
使用
使用 wpa_gui
使用 wpa_supplicant 的最简单方法是使用其名为 wpa_gui 的接口。要启用它,请启用 qt5 USE 标志来构建 wpa_supplicant。
使用 wpa_cli
wpa_supplicant 也有一个命令行用户界面。输入 wpa_cli 以启动其交互模式。在此提示下输入 help 将列出可用的命令(单击“Expand”以查看下面 wpa_cli 命令的输出):
user $wpa_cli
wpa_cli v2.5 Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Selected interface 'wlan0' Interactive mode > scan OK > scan_results bssid / frequency / signal level / flags / ssid 01:23:45:67:89:ab 2437 0 [WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS] hotel-free-wifi > add_network 0 > set_network 0 ssid "hotel-free-wifi" OK > set_network 0 psk "password" OK > enable_network 0 OK <3>CTRL-EVENT-SCAN-RESULTS <3>WPS-AP-AVAILABLE <3>Trying to associate with 01:23:45:67:89:ab (SSID='hotel-free-wifi' freq=2437 MHz) <3>Associated with 01:23:45:67:89:ab <3>WPA: Key negotiation completed with 01:23:45:67:89:ab [PTK=CCMP GTK=TKIP] <3>CTRL-EVENT-CONNECTED - Connection to 01:23:45:67:89:ab completed [id=0 id_str=] > save_config OK > quit
更多有关与如何连接的详细信息,可以在 Arch Linux Wiki 中找到。[3]
使用 wpa_passphrase
wpa_supplicant 包含了一个可以从命令行为预共享密钥(WPA-PSK 又名密码)网络快速写入网络块的工具,wpa_passphrase。
root #wpa_passphrase <ssid> [passphrase]其中 SSID 必须输入。但如果省略了 passphrase ,可以在出现提示时输入密码。
输出的结果可以复制或使用管道命令输出到 /etc/wpa_supplicant/wpa_supplicant.conf.
手动编辑
当然,/etc/wpa_supplicant/wpa_supplicant.conf 配置文件也能手动编辑。但是,如果计算机需要连接到许多不同的接入点,这会很耗时费力。
示例可以在 man 5 wpa_supplicant.conf 和 /usr/share/doc/wpa_supplicant-2.4-r3/wpa_supplicant.conf.bz2 中找到。
wpa_supplicant 的 WPA2
连接到任何为YourSSID提供服务的无线网络接入点
/etc/wpa_supplicant/wpa_supplicant.confctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel #ap_scan=0 #update_config=1 network={ ssid="YourSSID" psk="your-secret-key" scan_ssid=1 proto=RSN key_mgmt=WPA-PSK group=CCMP TKIP pairwise=CCMP TKIP priority=5 }
使用 bssid 来指定使用其 MAC 地址连接到相应接入点,以防存在中继器。记得使用 wpa_passphrase <ssid> [passphrase] 来生成 psk
/etc/wpa_supplicant/wpa_supplicant.confctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel ap_scan=1 network={ bssid=00:50:17:31:1a:11 ssid="YourSSID" psk="your-secret-key" scan_ssid=1 proto=RSN key_mgmt=WPA-PSK group=CCMP TKIP pairwise=CCMP TKIP priority=5 }
自动连接到任何不安全的网络
/etc/wpa_supplicant/wpa_supplicant.confnetwork={ key_mgmt=NONE priority=-999 }
故障排除
如果它不能像你预期的那样运行,请尝试下面的一些操作并分析输出。
检索已知 bug
以调试模式运行 wpa_supplicant
区别已停止所有运行的请求者 (supplicant) 实例:
root #killall wpa_supplicant类似以下选项可用于调试(单击 "Expand" 以查看下面的输出):
root #wpa_supplicant -Dnl80211 -iwlan0 -C/var/run/wpa_supplicant/ -c/etc/wpa_supplicant/wpa_supplicant.conf -dd
wpa_supplicant v2.2 random: Trying to read entropy from /dev/random Successfully initialized wpa_supplicant Initializing interface 'wlp8s0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'nl80211' ctrl_interface '/var/run/wpa_supplicant' bridge 'N/A' Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ctrl_interface='DIR=/var/run/wpa_supplicant GROUP=wheel' update_config=1 Line: 6 - start of a new network block
启用日志
在 Gentoo 中启用 net.* 脚本日志
modules_wlan0="wpa_supplicant" wpa_supplicant_wlan0="-Dnl80211 -d -f /var/log/wpa_supplicant.log" config_wlan0="dhcp"
现在,在一个终端中使用 tail 命令来监视输出并在另一个终端中重新启动 net.wlan0 设备:
root #tail -f /var/log/wpa_supplicant.log
root #/etc/init.d/net.wlan0 restart
参考
另请参阅
- Iwd — an up-and-coming wireless daemon for Linux.
外部资源
- HOWTO: 使用 wpa_supplicant 管理远程接入点 (Gentoo 论坛)
- 扩展认证协议 (Wikipedia)
- 扩展认证协议 (wiki.freeradius.org)
- wpa_supplicant 刚刚接受了允许接口匹配的补丁
- https://www.kb.cert.org/vuls/id/CHEU-AQNN3Z