eduroam, wpa_supplicant and openbsd

eduroam works quite well on openbsd, provided that ones network card is supported. The “standard tutorial” seems to be this one. However for me the problem is, that it requires us to store the eduroam password, which often is also the single-sign-on (e-mail, services, etc.) for a university, in plain text. To avoid this, I wrote a small shell script that prompts the user for their eduroam username and password, writes them to /etc/wpa_supplicant.conf, starts wpa_supplicant and then blanks /etc/wpa_supplicant.conf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/bin/ksh
 
# This script uses wpa_supplicant (pkg_add -r wpa_supplicant) 
# to connect to eduroam. 
# For more details see:
# https://www.kariliq.nl/openbsd/eduroam-uva.html
#
# In general wpa_supplicant requires the password to be stored
# in its configuration file. This script works around this
# limitation by prompting for the password (and potentially the
# username), writing them to the configuration file, connecting
# to eduroam and then blanking the password (and username) from
# the configuration file. 
# see the end of this file for a valid wpa_supplicant.conf
 
CONF="/etc/wpa_supplicant.conf"
INTERFACE="iwn0"
 
# If you do not want to prompt for a user,
# use this line:
# eUSER="userid@institution.tld"
echo "Enter User:"
read  eUSER
 
echo "Enter Pass:"
# turn off terminal echoing
stty -echo
read  ePASS
# turn it back on
stty echo
 
echo "Rewriting $CONF for user $eUSER"
 
sed -i  "s/identity.*/identity=\"$eUSER\"/" $CONF
sed -i  "s/password.*/password=\"$ePASS\"/" $CONF 
echo "Setting up $INTERFACE..."
ifconfig $INTERFACE -wpakey
ifconfig $INTERFACE nwid eduroam wpa wpaakms 802.1x up
echo "Starting wpa_supplicant"
wpa_supplicant -Bc $CONF -D openbsd -i $INTERFACE
echo "Running dhclient on $INTERFACE"
dhclient $INTERFACE
# for some reason we need to run it twice...
dhclient $INTERFACE
 
echo "Blanking $CONF"
sed -i  "s/identity.*/identity=\"\"/" $CONF
sed -i  "s/password.*/password=\"\"/" $CONF
 
# an example of a valid wpa_supplicant.conf
#
# ctrl_interface=/var/run/wpa_supplicant
# ctrl_interface_group=wheel
 
# network={
#	ssid="eduroam"
#	key_mgmt=WPA-EAP
#	eap=TTLS
#	phase2="auth=PAP"
#	ca_cert="/etc/ssl/cert.pem"
#	anonymous_identity="anonymous@institution.tld"
#	identity=""
#	password=""
#}