Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

wpa_priv(8) [suse man page]

WPA_PRIV(8)															       WPA_PRIV(8)

NAME

       wpa_priv - wpa_supplicant privilege separation helper

SYNOPSIS

       wpa_priv [ -c ctrl path ] [ -Bdd ] [ -P pid file ] [ driver:ifname [driver:ifname ...] ]

OVERVIEW

       wpa_priv is a privilege separation helper that minimizes the size of wpa_supplicant code that needs to be run with root privileges.

       If  enabled,  privileged operations are done in the wpa_priv process while leaving rest of the code (e.g., EAP authentication and WPA hand-
       shakes) to operate in an unprivileged process (wpa_supplicant) that can be run as non-root user. Privilege separation restricts the effects
       of  potential  software	errors by containing the majority of the code in an unprivileged process to avoid the possibility of a full system
       compromise.

       wpa_priv needs to be run with network admin privileges (usually, root user). It opens a UNIX domain  socket  for  each  interface  that	is
       included on the command line; any other interface will be off limits for wpa_supplicant in this kind of configuration. After this, wpa_sup-
       plicant can be run as a non-root user (e.g., all standard users on a laptop or as a special non-privileged user account	created  just  for
       this purpose to limit access to user files even further).

EXAMPLE CONFIGURATION

       The following steps are an example of how to configure wpa_priv to allow users in the wpapriv group to communicate with wpa_supplicant with
       privilege separation:

       Create user group (e.g., wpapriv) and assign users that should be able to use wpa_supplicant into that group.

       Create /var/run/wpa_priv directory for UNIX domain sockets and control user access by setting it accessible only for the wpapriv group:

	      mkdir /var/run/wpa_priv
	      chown root:wpapriv /var/run/wpa_priv
	      chmod 0750 /var/run/wpa_priv

       Start wpa_priv as root (e.g., from system startup scripts) with the enabled interfaces configured on the command line:

	      wpa_priv -B -c /var/run/wpa_priv -P /var/run/wpa_priv.pid wext:wlan0

       Run wpa_supplicant as non-root with a user that is in the wpapriv group:

	      wpa_supplicant -i ath0 -c wpa_supplicant.conf

COMMAND ARGUMENTS

       -c ctrl path
	      Specify the path to wpa_priv control directory (Default: /var/run/wpa_priv/).

       -B     Run as a daemon in the background.

       -P file
	      Set the location of the PID file.

       driver:ifname [driver:ifname ...]
	      The <driver> string dictates which of the supported wpa_supplicant driver backends is to be used. To get a list of supported  driver
	      types see wpa_supplicant help (e.g, wpa_supplicant -h). The driver backend supported by most good drivers is wext.

	      The <ifname> string specifies which network interface is to be managed by wpa_supplicant (e.g., wlan0 or ath0).

	      wpa_priv	does  not use the network interface before wpa_supplicant is started, so it is fine to include network interfaces that are
	      not available at the time wpa_priv is started. wpa_priv can control multiple interfaces with one process, but it is also possible to
	      run multiple wpa_priv processes at the same time, if desired.

SEE ALSO

       wpa_supplicant(8)

LEGAL

       wpa_supplicant is copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> and contributors.  All Rights Reserved.

       This program is dual-licensed under both the GPL version 2 and BSD license. Either license may be used at your option.

								  16 January 2010						       WPA_PRIV(8)

Check Out this Related Man Page

WPA_CLI(8)																WPA_CLI(8)

NAME

       wpa_cli - WPA command line client

SYNOPSIS

       wpa_cli [ -p path to ctrl sockets ] [ -i ifname ] [ -hvB ] [ -a action file ] [ -P pid file ] [ command ... ]

OVERVIEW

       wpa_cli	is  a  text-based  frontend program for interacting with wpa_supplicant. It is used to query current status, change configuration,
       trigger events, and request interactive user input.

       wpa_cli can show the current authentication status, selected security mode, dot11 and dot1x MIBs, etc. In addition, it can  configure  some
       variables  like	EAPOL state machine parameters and trigger events like reassociation and IEEE 802.1X logoff/logon. wpa_cli provides a user
       interface to request authentication information, like username and password, if these are not included in the configuration.  This  can	be
       used  to implement, e.g., one-time-passwords or generic token card authentication where the authentication is based on a challenge-response
       that uses an external device for generating the response.

       The control interface of wpa_supplicant can be configured to allow non-root user access (ctrl_interface GROUP= parameter in the	configura-
       tion file). This makes it possible to run wpa_cli with a normal user account.

       wpa_cli	supports  two modes: interactive and command line. Both modes share the same command set and the main difference is in interactive
       mode providing access to unsolicited messages (event messages, username/password requests).

       Interactive mode is started when wpa_cli is executed without including the command as a command line parameter. Commands are  then  entered
       on the wpa_cli prompt. In command line mode, the same commands are entered as command line arguments for wpa_cli.

INTERACTIVE AUTHENTICATION PARAMETERS REQUEST

       When wpa_supplicant need authentication parameters, like username and password, which are not present in the configuration file, it sends a
       request message to all attached	frontend  programs,  e.g.,  wpa_cli  in  interactive  mode.  wpa_cli  shows  these  requests  with  "CTRL-
       REQ-<type>-<id>:<text>"	prefix. <type> is IDENTITY, PASSWORD, or OTP (one-time-password). <id> is a unique identifier for the current net-
       work. <text> is description of the request. In case of OTP request, it includes the challenge from the authentication server.

       The reply to these requests can be given with identity, password, and otp commands. <id> needs to be  copied  from  the	matching  request.
       password and otp commands can be used regardless of whether the request was for PASSWORD or OTP. The main difference between these two com-
       mands is that values given with password are remembered as long as wpa_supplicant is running whereas values given with otp  are	used  only
       once  and  then	forgotten,  i.e., wpa_supplicant will ask frontend for a new value for every use.  This can be used to implement one-time-
       password lists and generic token card -based authentication.

       Example request for password and a matching reply:

	      CTRL-REQ-PASSWORD-1:Password needed for SSID foobar
	      > password 1 mysecretpassword

       Example request for generic token card challenge-response:

	      CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
	      > otp 2 9876

COMMAND ARGUMENTS

       -p path
	      Change the path where control sockets should be found.

       -i ifname
	      Specify the interface that is being configured.  By default, choose the first interface found with a control socket  in  the  socket
	      path.

       -h     Help.  Show a usage message.

       -v     Show version information.

       -B     Run as a daemon in the background.

       -a file
	      Run  in  daemon  mode  executing	the action file based on events from wpa_supplicant.  The specified file will be executed with the
	      first argument set to interface name and second to "CONNECTED" or "DISCONNECTED" depending on the event.	This can be used  to  exe-
	      cute networking tools required to configure the interface.

	      Additionally,  three  environmental variables are available to the file: WPA_CTRL_DIR, WPA_ID, and WPA_ID_STR. WPA_CTRL_DIR contains
	      the absolute path to the ctrl_interface socket. WPA_ID contains the unique network_id identifier assigned to the active network, and
	      WPA_ID_STR contains the content of the id_str option.

       -P file
	      Set the location of the PID file.

       command
	      Run a command.  The available commands are listed in the next section.

COMMANDS

       The following commands are available:

       status get current WPA/EAPOL/EAP status

       mib    get MIB variables (dot1x, dot11)

       help   show this usage help

       interface [ifname]
	      show interfaces/select interface

       level <debug level>
	      change debug level

       license
	      show full wpa_cli license

       logoff IEEE 802.1X EAPOL state machine logoff

       logon  IEEE 802.1X EAPOL state machine logon

       set    set variables (shows list of variables when run without arguments)

       pmksa  show PMKSA cache

       reassociate
	      force reassociation

       reconfigure
	      force wpa_supplicant to re-read its configuration file

       preauthenticate <BSSID>
	      force preauthentication

       identity <network id> <identity>
	      configure identity for an SSID

       password <network id> <password>
	      configure password for an SSID

       pin <network id> <pin>
	      configure pin for an SSID

       otp <network id> <password>
	      configure one-time-password for an SSID

       bssid <network id> <BSSID>
	      set preferred BSSID for an SSID

       list_networks
	      list configured networks

       terminate
	      terminate wpa_supplicant

       quit   exit wpa_cli

SEE ALSO

       wpa_supplicant(8)

LEGAL

       wpa_supplicant is copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> and contributors.  All Rights Reserved.

       This program is dual-licensed under both the GPL version 2 and BSD license. Either license may be used at your option.

								  16 January 2010							WPA_CLI(8)
Man Page