wpa_supplicant
wpa_supplicant 是跨平台的 WPA 請求者程序(supplicant),支持 WEP、WPA 和 WPA2(IEEE 802.11i).。可以在桌面、筆記本甚至嵌入式系統中使用。
wpa_supplicant 是在客戶端使用的 IEEE 802.1X/WPA 組件,支持與 WPA Authenticator 的交互,控制漫遊和無線驅動的IEEE 802.11 驗證和關聯。
安裝[編輯 | 編輯原始碼]
安裝 wpa_supplicant包 軟件包。此軟件包提供了主程序 wpa_supplicant,密碼工具 wpa_passphrase 和文字界面前端 wpa_cli.
此外軟件包 wpa_supplicant_guiAUR 提供了圖形界面 wpa_gui。 wpa-cuteAUR 是 wpa_gui 的一個分支,提供了額外的修正和改進。
概覽[編輯 | 編輯原始碼]
連接到加密無線網絡的第一步是讓 wpa_supplicant 獲取 WPA 認證者的認證。為此, wpa_supplicant 必須進行配置以使其能夠向認證者提交認證信息。
完成認證後需要分配 IP 地址,請參考:網絡配置#IP addresses。
用 wpa_cli 連接[編輯 | 編輯原始碼]
這種方法使用了 wpa_cli 命令行工具,可以用其掃描可用網絡,並配置 wpa_supplicant 。詳細信息可以參考 wpa_cli(8) 。
使用 wpa_cli 前,需要先為 wpa_supplicant 指定一個控制接口,且它需要獲得更新配置的權限。先創建一個最小配置:
/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant update_config=1
接下來啟動 wpa_supplicant :
# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/wpa_supplicant.conf
ip link 命令查看你的無線網卡名稱。完成後,執行:
# wpa_cli
這一步完成後會顯示一個交互提示符 (>),同時帶有 tab 補全及命令描述功能。
/var/run/wpa_supplicant/,可以使用 -p 選項手動指定位置,以與wpa_supplicant 的配置相符。另外,可以使用 -i 選項指定需配置的接口,否則將使用由 wpa_supplicant 管理的第一個網絡接口。使用 scan 和 scan_results 命令查看可用網絡:
> scan OK <3>CTRL-EVENT-SCAN-RESULTS > scan_results bssid / frequency / signal level / flags / ssid 00:00:00:00:00:00 2462 -49 [WPA2-PSK-CCMP][ESS] MYSSID 11:11:11:11:11:11 2437 -64 [WPA2-PSK-CCMP][ESS] ANOTHERSSID
要將網絡與 MYSSID 進行關聯,先添加網絡,配置憑證並啟用:
> add_network 0 > set_network 0 ssid "MYSSID" > set_network 0 psk "passphrase" > enable_network 0 <2>CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed (reauth) [id=0 id_str=]
如果對應的 SSID 無需密碼驗證,則需要將命令 set_network 0 psk "passphrase" 替換為 set_network 0 key_mgmt NONE ,以將網絡指定為無密碼。
- 每個網絡都按照數字順序進行排列,所以第一個網絡的索引為 0。
- PSK 是由 引號 括起的 "passphrase" 字符串計算而來,同時也在 wpa_passphrase 命令中顯示。儘管如此,你也可以直接 不使用引號 向
psk傳入 PSK 。
最後,將網絡保存到配置文件中:
> save_config OK
完成後,你需要獲取一個 IP 地址,例如使用 dhcpcd 。
帶 wpa 通行字的連接[編輯 | 編輯原始碼]
用命令行工具 wpa_passphrase 生成 wpa_supplicant 所需的最小配置,可以快速連接到已知 SSID 的無線網絡。例如:
$ wpa_passphrase MYSSID passphrase
network={
ssid="MYSSID"
#psk="passphrase"
psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d
}
上例表明,wpa_supplicant 可以與 wpa_passphrase 協同工作,只需簡單地這樣做即可:
# wpa_supplicant -B -i interface -c <(wpa_passphrase MYSSID passphrase)
Successfully initialized wpa_supplicant Failed to open config file '/dev/fd/63', error: No such file or directory Failed to read or parse configuration '/dev/fd/63'參閱:Help:Reading#一般用戶還是 root 用戶。
- 如果輸入內容包含空格請使用引號。例如:
"secret passphrase"。 - 要找出無線網卡的名字,使用
ip link命令。 - 某些不常用的複雜通行字要求從文件輸入,例如:
wpa_passphrase MYSSID < passphrase.txt;或者從命令行輸入,例如:wpa_passphrase MYSSID <<< "passphrase"。
連接後需要獲取 IP 地址,可以使用 dhcpcd.
高級用法[編輯 | 編輯原始碼]
對於各種紛繁複雜的網絡,更常見的場景是使用 EAP 管理配置文件。各種配置及其範例可參閱手冊頁wpa_supplicant.conf(5);所有可支持的配置參數可參考範例文件 /etc/wpa_supplicant/wpa_supplicant.conf。
配置[編輯 | 編輯原始碼]
如上文中#帶 wpa 通行字的連接一節所述,一個基本的配置文件可以這樣生成:
# wpa_passphrase MYSSID passphrase > /etc/wpa_supplicant/example.conf
這樣僅僅是創建了一個網絡配置節段。包含更多通用配置項的配置文件類似下面這樣:
/etc/wpa_supplicant/example.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
fast_reauth=1
ap_scan=1
network={
ssid="MYSSID"
psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d
}
如果可以不顧及安全問題,其中的通行字可以換成由引號包圍的純文本:
network={
ssid="MYSSID"
psk="passphrase"
}
如果某一網絡沒有設置通行字,比如一個公共無線網絡,就是這樣:
network={
ssid="MYSSID"
key_mgmt=NONE
}
Further network blocks may be added manually, or using wpa_cli as illustrated in #用 wpa_cli 連接. In order to use wpa_cli, a control interface must be set with the ctrl_interface option. Setting ctrl_interface_group=wheel allows users belonging to such group to execute wpa_cli. This setting can be used to enable users without root access (or equivalent via sudo etc) to connect to wireless networks. Also add update_config=1 so that changes made with wpa_cli to example.conf can be saved. Note that any user that is a member of the ctrl_interface_group group will be able to make changes to the file if this is turned on.
fast_reauth=1 and ap_scan=1 are the wpa_supplicant options active globally at the time of writing. Whether you need them, or other global options too for that matter, depends on the type of network to connect to. If you need other global options, simply copy them over to the file from /etc/wpa_supplicant/wpa_supplicant.conf.
Alternatively, wpa_cli set can be used to see options' status or set new ones. Multiple network blocks may be appended to this configuration: the supplicant will handle association to and roaming between all of them. The strongest signal defined with a network block usually is connected to by default, one may define priority= to influence behaviour.
An advantage to be mentioned in using a customized configuration file at /etc/wpa_supplicant/wpa_supplicant.conf is that it is used by default by dhcpcd. If you do so, you might want to make a backup of the original and delete the extensive network block examples in it. Otherwise, do not be surprised if your device suddenly connects to networks defined in them. In any case, changes to new versions of the configuration file should of course be merged.
scan_ssid=1 has to be defined in the network block.連接[編輯 | 編輯原始碼]
手動連接[編輯 | 編輯原始碼]
首先啟動 wpa_supplicant 命令,其最常用的參數為:
-B- 在後台運行。-c filename- 配置文件的路徑。-i interface- 要監聽的設備。-D driver- (可選)使用的驅動。運行wpa_supplicant -h以查看所支持的驅動列表。nl80211是目前的標準,但是不是所有無線網卡都支持。wext目前已經棄用,但是仍被廣泛支持。
見 wpa_supplicant(8) 獲取全部參數的列表。例如:
# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/example.conf
接着是手動獲取IP的方法,正如在#概覽中提到的,例如:
# dhcpcd interface
引導時連接(systemd)[編輯 | 編輯原始碼]
wpa_supplicant 軟件包中提供了多個 systemd 服務文件:
wpa_supplicant.service- 使用 D-Bus ,建議 NetworkManager 用戶使用。wpa_supplicant@.service- 接受網口名作為參數,啟動服務於該網口的 wpa_supplicant 守護進程。這個服務將讀取/etc/wpa_supplicant/wpa_supplicant-interface.conf這個配置文件。wpa_supplicant-nl80211@.service- 同樣接受網口名作為參數,但明確限定使用nl80211驅動(詳閱下文)。它的配置文件是/etc/wpa_supplicant/wpa_supplicant-nl80211-interface.conf。wpa_supplicant-wired@.service- 同樣接受網口名作為參數,使用wired(有線網絡)驅動。它的配置文件是/etc/wpa_supplicant/wpa_supplicant-wired-interface.conf。
在引導時激活無線網絡,就是激活服務於某個無線網絡接口的上述服務單元之一。
現在就可以像概覽一節所述,可以選定某個網絡接口並激活其服務單元的一個實例,從而獲取一個 IP 地址。
802.1x/radius[編輯 | 編輯原始碼]
To connect a wired adapter using 802.1x/radius you will need to specify some configurations and enable the necessary service for the adapter. This is useful for headless servers using networkd.
Replace adapter with the wired adapter you wish to connect, and adapt the settings to match your 802.1x/radius requirements.
/etc/wpa_supplicant/wpa_supplicant-wired-adapter.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
identity="user_name"
password="user_password"
phase2="autheap=MSCHAPV2"
}
IEEE8021X to WPA-EAP and removing the ap_scan=0 lineSince this file is storing a plaintext password, chown it to root:root and chmod it to 600.
Before running the wpa_supplicant-wired@adapter.service service, make sure to set the device down:
# ip link set adapter down
dhcpcd@adapter.service to solicit an address.wpa_cli 操作腳本[編輯 | 編輯原始碼]
wpa_cli can run in daemon mode and execute a specified script based on events from wpa_supplicant. Two events are supported: CONNECTED and DISCONNECTED. Some environment variables are available to the script, see wpa_cli(8) for details.
The following example will use desktop notifications to notify the user about the events:
#!/bin/sh
case "$2" in
CONNECTED)
notify-send "WPA supplicant: connection established";
;;
DISCONNECTED)
notify-send "WPA supplicant: connection lost";
;;
esac
Remember to make the script executable, then use the -a flag to pass the script path to wpa_cli:
$ wpa_cli -a /path/to/script
排錯[編輯 | 編輯原始碼]
/etc/wpa_supplicant/wpa_supplicant.conf, which is filled with uncommented examples that will lead to lots of random errors in practice. This is a known packaging bug of the wpa_supplicant包 package: FS#40661.某些硬件上 nl80211 驅動不支持[編輯 | 編輯原始碼]
On some (especially old) hardware, wpa_supplicant may fail with the following error:
Successfully initialized wpa_supplicant nl80211: Driver does not support authentication/association or connect commands wlan0: Failed to initialize driver interface
This indicates that the standard nl80211 driver does not support the given hardware. The deprecated wext driver might still support the device:
# wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant/example.conf
If the command works to connect, and the user wishes to use systemd to manage the wireless connection, it is necessary to edit the wpa_supplicant@.service unit provided by the package and modify the ExecStart line accordingly:
/etc/systemd/system/wpa_supplicant@.service.d/wext.conf
[Service] ExecStart= ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext
-Dnl80211,wext makes wpa_supplicant use the first driver wrapper that is able to initialize the interface (see wpa_supplicant(8)). This is useful when using mutiple or removable (e.g. USB) wireless devices which use different drivers.掛載了網絡共享(CIFS)時的關機問題[編輯 | 編輯原始碼]
When you use wireless to connect to network shares you might have the problem that the shutdown takes a very long time. That is because systemd runs against a 3 minute timeout. The reason is that WPA supplicant is shut down too early, i.e. before systemd tries to unmount the share(s). A bug report suggests a work-around by editing the wpa_supplicant@.service as follows:
/etc/systemd/system/wpa_supplicant.service.d/override.conf
[Unit] After=dbus.service
口令相關的問題[編輯 | 編輯原始碼]
wpa_supplicant包 may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as failed 4-way WPA handshake, PSK may be wrong when launching wpa_supplicant包.
In order to solve this try using here strings wpa_passphrase <MYSSID> <<< "<passphrase>" or passing a file to the -c flag instead:
$ wpa_supplicant -i <interface> -c /etc/wpa_supplicant/wpa_supplicant.conf
In some instances it was found that storing the passphrase cleartext in the psk key of the wpa_supplicant.conf network block gave positive results (see [1]). However, this approach is rather insecure. Using wpa_cli to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.