Sending mail on the Linux command line (Ubuntu)

Unencrypted mail

Install bsd-mailx:

apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 
. 
Cc: 

Notes:

  • Mail gets sent to postmaster@example.com (see mail.rc).
  • Mail server is mail.example.com (see mail.rc).
  • Email message body is terminated by a single "." as the last line.
Share

Upgrading from Ubuntu 16.04 LTS to 18.04 LTS

Overall changes

  • Support has been dropped from
    tcpd
    xinetd
    isc-dhcp-server-ldap
    ntp
    There might be problems to automatically start the ntp service at boot time.
    ntpdate
    firewalld
    ssmtp

New versions

  • kernel 4.4 -> 4.15
  • bind 9.10.3 -> 9.11.3
    https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/
    https://www.isc.org/downloads/bind/bind-9-11-new-features/
  • bacula-fd 7.0.5 -> 9.0.6
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_4_0.html
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_9_0_0.html
  • systemd 229 -> 237
    https://github.com/systemd/systemd/blob/master/NEWS

Installing Bacula client from source

Again the new bacula-fd version 9.0.6 might be a problem, if you are running a Bacula server with an older version (s. Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS). In your job output, you will see an error like this:

25-Apr 02:15 server-dir JobId 5638: FD compression disabled for this Job because AllowCompress=No in Storage resource.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/inputrc

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/db.empty

25-Apr 02:15 server-sd JobId 5638: Fatal error: bsock.c:547 Packet size=1073742451 too big from "client:192.168.0.1:9103. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/Kexample2.+163+42584.private

25-Apr 02:15 server-sd JobId 5638: Fatal error: append.c:149 Error reading data header from FD. n=-2 msglen=0 ERR=No data available
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/zones.rfc1918

25-Apr 02:15 server-sd JobId 5638: Elapsed time=00:00:01, Transfer rate=186  Bytes/second
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615307 client-fd JobId 5638: Error: bsock.c:649 Write error sending 884 bytes to Storage daemon:192.168.0.1:9103: ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=3 level=1524615307 client-fd JobId 5638: Fatal error: backup.c:843 Network send error to SD. ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615317 client-fd JobId 5638: Error: bsock.c:537 Socket has errors=1 on call to Storage daemon:192.168.0.1:9103

25-Apr 02:15 server-dir JobId 5638: Fatal error: bsock.c:547 Packet size=1073741935 too big from "Client: client-fd:client.example.com:9102. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Fatal error: No Job status returned from FD.

Here is how to install bacula-fd 5.2.13 from source on Ubuntu 18.04:

  • systemctl stop bacula-fd
  • Install packages required for building bacula client from source:
    apt-get install build-essentials libssl1.0-dev
  • Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
  • Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5  29F5 9E98 BF32 10A7 92AD):
    gpg --recv-keys 10A792AD
    gpg --fingerprint -k 10A792AD
  • Check signature of downloaded files:
    gpg --verify bacula-5.2.13.tar.gz.sig
  • tar -xzvf bacula-5.2.13.tar.gz
  • cd bacula-5.2.13
  • ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula --with-systemd
  • check output of previous configure command
  • make && make install
  • check output of previous command for any errors
  • create new file /etc/ld.so.conf.d/local.conf:
    /usr/local/lib
  • ldconfig
  • Delete the following files:
    rm /lib/systemd/system/bacula-fd.service
    rm /etc/init.d/bacula-fd
    (In fact you can remove the bacula-fd 9.0.6 package completely, just make sure to copy the directory /etc/bacula somewhere safe before you do, and restore it afterwards.)
  • Create file /etc/systemd/system/bacula-fd.service (see below)
  • systemctl daemon-reload
  • systemctl start bacula-fd

/etc/systemd/system/bacula-fd.service:

[Unit] 
Description=Bacula File Daemon service 
Documentation=man:bacula-fd(8) 
Requires=network.target 
After=network.target 
RequiresMountsFor=/var/lib/bacula /etc/bacula /usr/sbin 
 
# from http://www.freedesktop.org/software/systemd/man/systemd.service.html 
[Service] 
Type=forking 
User=root 
Group=root 
Environment="CONFIG=/etc/bacula/bacula-fd.conf" 
EnvironmentFile=-/etc/default/bacula-fd 
ExecStartPre=/usr/local/sbin/bacula-fd -t -c $CONFIG 
ExecStart=/usr/local/sbin/bacula-fd -u root -g root -c $CONFIG 
ExecReload=/bin/kill -HUP $MAINPID 
SuccessExitStatus=15 
Restart=on-failure 
RestartSec=60 
PIDFile=/run/bacula/bacula-fd.9102.pid 

[Install] 
WantedBy=multi-user.target

Make sure that in you bacula-fd.conf, you have:

Pid Directory = /run/bacula

... and that the directory actually exists.

Some notable changes to systemd

When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e. g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options.

systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead.

systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53.

The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set.

Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation.

Share

Check for new versions of Firefox, Thunderbird

#!/bin/bash 
 
function checkVersion() { 
        V1=$(echo $1 | tr -d [:alpha:])
        V2=$(echo $2 | tr -d [:alpha:])
        MAJ1=$(echo $V1 | cut -d. -f1) 
        MIN1=$(echo $V1 | cut -d. -f2) 
        REV1=$(echo $V1 | cut -d. -f3) 
 
        MAJ2=$(echo $V2 | cut -d. -f1) 
        MIN2=$(echo $V2 | cut -d. -f2) 
        REV2=$(echo $V2 | cut -d. -f3) 
 
        if [[ $MAJ1 -lt $MAJ2 ]] ; then 
                return 1; 
        fi 
 
        if [[ $MAJ1 -eq $MAJ2 ]] ; then 
                if [[ -n "$MIN2" ]] ; then 
                        if [[ -n "$MIN1" ]] ; then 
                                if [[ $MIN1 -lt $MIN2 ]] ; then 
                                        return 1; 
                                fi 
 
                                if [[ $MIN1 -eq $MIN2 ]] ; then 
                                        if [[ -n "$REV2" ]] ; then 
                                                if [[ -n "$REV1" ]] ; then 
                                                        if [[ $REV1 -lt $REV2 ]] ; then 
                                                                return 1; 
                                                        fi 
                                                else 
                                                        return 1; 
                                                fi 
                                        fi 
                                fi 
                        else 
                                return 1; 
                        fi 
                fi 
        fi 
 
        return 0; 
} 
 
# Check Thunderbird 
TB=$(curl -s https://ftp.mozilla.org/pub/thunderbird/releases/ | sed -n "s/^\s\+<td><a href=\".*\">\(.*\)\/<\/a><\/td>$/\1/gp" | sort -g | grep -v b | tail -n 1 ) 
TBL=$(thunderbird -v | sed -n "s/^\s*Thunderbird\s*\(.*\)$/\1/gp") 
 
checkVersion $TBL $TB 
if [[ $? -eq 1 ]] ; then 
        echo "Update Thunderbird ($TBL -> $TB)" 
fi 
 
# Check Firefox 
TB=$(curl -s https://ftp.mozilla.org/pub/firefox/releases/ | sed -n "s/^\s\+<td><a href=\".*\">\(.*\)\/<\/a><\/td>$/\1/gp" | sort -g | grep -v b | tail -n 1 ) 
TBL=$(firefox -v | sed -n "s/^.*Firefox\s*\(.*\)$/\1/gp") 
 
checkVersion $TBL $TB 
if [[ $? -eq 1 ]] ; then 
        echo "Update Firefox ($TBL -> $TB)" 
fi
Share

That was 2017

Ubuntu 16.04 LTS Security Notices

Overall USNs: 348

Highest CVE priority fixed by USN:

  • High: 61
  • Medium: 277
  • Low: 5

Bugfixes in Red Hat Enterprise Linux 7

https://www.redhat.com/security/data/metrics/

Critical: 45 vulnerabilities
** Average time for fixing: 2 days
** 15% were 0day
** 37% were within 1 day
** 100% were within 7 days
** 100% were within 14 days
** 100% were within 31 days
** 100% were within 90 days

Important: 137 vulnerabilities
**Average time for fixing: 39 days
** 22% were 0day
** 29% were within 1 day
** 63% were within 7 days
** 65% were within 14 days
** 69% were within 31 days
** 87% were within 90 days

Moderate: 308 vulnerabilities
**Average time for fixing: 165 days
** 3% were 0day
** 8% were within 1 day
** 20% were within 7 days
** 21% were within 14 days
** 25% were within 31 days
** 43% were within 90 days

Low: 103 vulnerabilities
**Average time for fixing: 264 days
** 0% were 0day
** 2% were within 1 day
** 7% were within 7 days
** 7% were within 14 days
** 7% were within 31 days
** 19% were within 90 days

Share

Top 20 reasons for choosing weak passwords

  1. You just don't care because the account does not contain sensitive data and you are not using your real name anyway.
  2. Typing in strong passwords with a combination of special characters and regular characters takes ages on smart phones and tablets.
  3. Computers can't be trusted anyway, so why bother with a complicated password?
  4. Nobody is interested in you anyway.
  5. Password is for a shared account. Explaining to someone the password "%&__!(E2-<"+?=-:*d3//#@" over the phone is just too nerve wrecking.
  6. You want to have access to the account in case of an emergency, and you are afraid to forget the password if it is too complicated.
  7. "12345" can not be so bad if everyone else is using it as a password.
  8. After using strong passwords for years, your wifi was hacked by a 13 year old neighbor kid who got bored playing World of Warcraft on a Saturday evening.
  9. When creating an account you first choose a password easy to remember, only to change it later to a much more secure password. Never happens.
  10. The real password is your username.
  11. You are a math genius: If "12345" is so highly likely to be guessed, why do these numbers never get picked by the national lottery?
  12. Two words: Quantum computers
  13. Passwords are for pussies: Secret information is hidden in porn movies using steganography.
  14. You are a celebrity who wants to get into the headlines.
  15. You want to become a celebrity and therefore use every way to get into the headlines.
  16. Wife wants to set a trap for her husband to see if he is spying on her. Chooses a weak password and checks login times regularly.
  17. What was the question? Passwords? ... yeah ... do you know where my skateboard is?
  18. You know that "12345" is not secure, but at least it's more secure than "1234".
  19. The account is only a temporary account. You use it once and then forget about it.
  20. The account was automatically created by a script.
Share

Upgrading Debian 8 Jessie to Debian 9 Stretch

If configuration files are changed the old version will usually be copied to a backup file (*.dpkg-old). Nevertheless it is a good idea to make a system backup yourself before upgrading.

Description how to upgrade

  • https://www.cyberciti.biz/faq/how-to-upgrade-debian-8-jessie-to-debian-9-stretch/

Network

  • Device names stay the same (eth0, ...). Debian 9 only uses a new naming scheme for new installations.

Bacula 7.4.4

  • So far I had no problems to connect bacula-fd v7.4.4 to a bacula server v7.0.5

FreeRadius 3.0.12

  • Major upgrade from version 2. The configuration will not be automatically merged. You have to do this manually.
  • Basic configuration stays pretty much the same. Some configuration variables have been renamed or moved to a different position.
  • New configuration directories:
    /etc/freeradius/3.0
    /etc/freeradius/3.0/mods-available
    /etc/freeradius/3.0/mods-enabled
    /etc/freeradius/3.0/sites-available
    /etc/freeradius/3.0/sites-enabled
  • https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst

ejabberd 16.09

Postfix 3.1.4

  • Had no problems with a basic configuration and a couple of virtual mailbox domains.
  • http://www.postfix.org/announcements.html

amavisd-new 2.10.1-4

  • Almost no changes from previous version 2.10.1-2
  • https://launchpad.net/debian/+source/amavisd-new/+changelog

spamassassin 3.4.1

  • No need to change anything if you have a default installation
  • https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.1.txt

courier-*

  • New user/group "courier". File permissions need to be adjusted:
    /etc/courier
    /var/lib/courier
  • Some configuration changes (pid file, certificates location, etc.)

ntp 4.2.8p10

  • No longer subject to DRDoS Amplification Attack
  • Option "limited" added (to default restriction in configuration file)
  • Source restriction added (to configuration file)

OpenSSH 7.4

  • Major upgrade from version 6.7
  • No longer subject to ssh client roaming problem (s. Qualys Security Advisory)
  • New "AddKeysToAgent" client parameter (a private key that is used during authentication will be added to ssh-agent)
  • Default for "PermitRootLogin" changed from "yes" to "prohibit-password".
  • Default for "UsePrivilegeSeparation" changed from "yes" to "sandbox"
  • Default for "UseDNS" changed from "yes" to "no"
  • New option to require 2 different public keys for authentication; may be used for two-man rule / four-eyes principle (s. "AuthenticationMethods=publickey,publickey")
  • https://www.openssh.com/txt/
Share

Squid, c-icap, ClamAV: Bug in the service. Please report to the service author!!!!

If you see this error in your c-icap server logfile, it might just be that c-icap is running out of temporary disk space and that the clamav/virus scanner configuration for c-icap is wrong:

Service antivirus_module virus_scan.so
ServiceAlias  avscan virus_scan?allow204=on&sizelimit=off&mode=simple
virus_scan.MaxObjectSize  5M
TmpDir /tmp

The option "... sizelimit=off..." for the virus_scan service means that the configuration value for "MaxObjectSize" will be ingored. If you have too many parallel squid client connections open or large files to download, c-icap is running out of temporary disk space. It will then log the following error message without further explanation:

Bug in the service. Please report to the service author!!!!

The webbrowser download will be terminated with an error message (something like "internal server error").

To solve this problem, add more free space to the partition where TmpDIr resides, and change the virus_scan service option to "... sizelimit=on ...".

In the worst case, free disk space for the c-icap TmpDIr has to be:
MaxServers * ThreadsPerChild * virus_scan.MaxObjectSize

Share

grub-install: error: disk '...' not found

If you get an error like the following, the reason for this might not be so obvious. In my case I got the following error message trying to run grub-install:

# grub-install /dev/mapper/vg1-lv_boot
Installing for i386-pc platform.
grub-install: error: disk `lvmid/OffQLW-SofZ-KH38-jrbl-RXyw-dmDc-VOJuPf/lbiWU0-SkvY-nDET-EGvy-A1PP-fmGb-dGv7yX' not found.

The logical volume I tried to install grub onto was ok (/dev/mapper/vg1-lv_boot). The problem was somewhere else: I previously had a disk failure in a RAID0 md raid. The faulty drive was replaced online by a hot spare drive. But there was still an encrypted swap device configured for the old drive. And that swap device was not part of the md raid, so it was not automatically transferred to the new spare drive.

Only after removing this non-existing swap partition (swapoff <device>) grub-install was working again. So if you come across any error message from grub-install like the one above, the reason for it might be a problem with ANY configured disk on your system. Check for the following errors:

# swapon -s

Are there any swap partitions in use that no longer exist physically?

# pvdisplay
/dev/mapper/cryptswap2: read failed after 0 of 4096 at 0: Input/output error 
/dev/mapper/cryptswap2: read failed after 0 of 4096 at 1998520320: Input/output error 
/dev/mapper/cryptswap2: read failed after 0 of 4096 at 1998577664: Input/output error 
/dev/mapper/cryptswap2: read failed after 0 of 4096 at 4096: Input/output error 
/dev/sdb: read failed after 0 of 4096 at 0: Input/output error 
/dev/sdb: read failed after 0 of 4096 at 1000204795904: Input/output error 
/dev/sdb: read failed after 0 of 4096 at 1000204877824: Input/output error 
/dev/sdb: read failed after 0 of 4096 at 4096: Input/output error 
/dev/sdb1: read failed after 0 of 4096 at 1998520320: Input/output error 
/dev/sdb1: read failed after 0 of 4096 at 1998577664: Input/output error 
/dev/sdb1: read failed after 0 of 4096 at 0: Input/output error 
/dev/sdb1: read failed after 0 of 4096 at 4096: Input/output error 
/dev/sdb5: read failed after 0 of 4096 at 998203392000: Input/output error 
/dev/sdb5: read failed after 0 of 4096 at 998203449344: Input/output error 
/dev/sdb5: read failed after 0 of 4096 at 0: Input/output error 
/dev/sdb5: read failed after 0 of 4096 at 4096: Input/output error 
--- Physical volume ---
...

Are there any error messages for physical LVM2 volumes? If so, try to remove the erroneous physical volumes from your running configuration. Maybe there are still active mount points on the faulty disks (including swap partitions).

# dmsetup status

All entries in the device mapper list have to be valid. There might not be an obvious error message in the output, so you have to check each dm device manually.

Important things to note:

  • Grub2 no longer relies on the file /boot/grub/device.map . You can create the file with "grub-mkdevicemap", but grub-install does not use it and performs a full system scan by itself.
  • grub-install also examines swap devices, even though it obviously will not use them.
Share

Configuring wireless networks in Linux

1. Overview

This post assumes that you are already familiar with connecting Windows or Mac OS to an existing accesspoint. It also assumes that you have a working wireless network card.  If you are looking for an inexpensive wifi card that you can attach to a USB 2.0 port, take a look at my previous post (CSL 300 Mbit/s wifi adapter with Debian 8 Jessie). You might have to install additional firmware packages.

Here is a list of supported wifi devices by the Linux kernel:
https://wikidevi.com/wiki/List_of_Wi-Fi_Device_IDs_in_Linux

Check with iwconfig that there is a working WiFi device on your computer:

$ iwconfig

wlan0     IEEE 802.11bgn  ESSID:off/any   
          Mode:Managed  Access Point: Not-Associated   Tx-Power=15 dBm    
          Retry short limit:7   RTS thr:off   Fragment thr:off 
          Encryption key:off 
          Power Management:on

This tells us that there is a WiFi device called "wlan0" capable to connect to any 802.11b/g/n accesspoint.

There are 2 ways to configure wireless networks in Linux:

  • Using the graphical tool "NetworkManager"
    The preferred method if you are using a graphical desktop environment. Very similar to Windows or Mac OS and easy to use.
  • On the command line using "wpa_supplicant"
    Only recommended for experienced Linux users.

Both of them are included in every modern Linux distribution and have advantages and disadvantages which I will explain later in this post. You should not mix both methods, just decide for one of them and stick with it. So if you already use NetworkManager to manage ethernet connections, it is easy to add one or more WiFi connections.

Both NetworkManager and the native command line method rely on the package "wpa_supplicant" (or "wpasupplicant") to actually use a wifi network. Nevertheless I will use the term "wpa_supplicant" to refer to the command line method.

There is a plethora of additional graphical network tools in Linux, e.g. graphical front ends for wpa_supplicant. Once you know the basics of wpa_supplicant it is easy to use other tools too. Therefore in this post I will only describe how to configure wpa_supplicant on the command line.

2. Encryption Protocols

WPA2 (802.11i) is today's standard for wireless data encryption. It uses 2 different keys for encrypting traffic between accesspoint and client stations.

NameDescriptionConfiguration OptionRekeying Interval (Default Value)Notes
PTK ("Pairwise Transient Key":)- Consists of several other keys / fields used to encrypt data and distribute GTK to client stations

- Unique to every client station

- Only used for unicast traffic
"wpa_ptk_rekey" in wpa_supplicant.conf?
GTK ("Group Transient Key")- Generated by accesspoint and sent to client stations

- Shared by all client stations

- Only used for multicast, / broadcast traffic
"Group Key Interval" in accesspoint configuration

rekey interval is not configurable in NetworkManager or wpa_supplicant
30 seconds- Not configurable in NetworkManager or wpa_supplicant

- Rekeying is completely up to accesspoint, so there is no way to print the rekey interval on client station (wpa_cli or nmcli)

- wpa_supplicant generates log entries like the following:
wpa_supplicant[1652]: wlan0: WPA: Group rekeying completed with 00:2a:0e:ab:cd:ef [GTK=CCMP]

Both keys are then used to encrypt traffic between accesspoint and client stations. There are 2 protocols for symmetric data encryption:

  • TKIP (Temporal Key Integrity Protocol)
    based on RC4
    insecure and obsolete
    use only in combination with additional encryption layers like VPN or SSH tunnels
  • CCMP (CCM Mode Protocol)
    based on AES
    today's standard

3. Authentication Methods

There are 2 different authentication methods for wireless networks:

  • All users share the same single key
    Primarily used for a smaller number of client stations, e.g. in home networks or small guest networks
  • Every user has his own username / password (or unique client certificate)
    Useful for a larger number of client stations, e.g. in corporate environments or where you have a lot of guest users

WPA2 Personal / PSK (Preshared Key)

The same key (8 - 63 characters) must be configured on accesspoint and client stations. It is directly used as PMK (Pairwise Master Key) by accesspoint, and then used to calculate PTK (Pairwise Transient Key). PTK is then used to calculate GTK.

WPA2 Enterprise / 802.1x

Actual authentication is not performed by the accesspoint, but by a 3rd party server called "authentication server". This is usually a Radius server running "freeradius".

Even though authentication is performed by a separate authentication server, it only knows the MK (Master Key) and its derived PMK (Pairwise Master Key). The PMK is transferred (moved, not copied) from the authentication server to the accesspoint and used to calculate a PTK (Pairwise Transient Key). So the authentication server has no access to neither PTK nor GTK and therefore cannot decrypt traffic (unicast or multicast) between accesspoint and client stations.

  • WPA2 Enterprise usually requires a username / password combination for authentication
    (authentication methods LEAP, FAST, PEAP, and TTLS)
  • Using TLS as the authentication method the client authenticates with a client X.509 certificate.
  • The client itself may use a CA certificate to verify that it is connecting to the right accesspoint (similar to HTTPS connections in webbrowsers).

4. NetworkManager

NetworkManager is part of every modern LInux distribution. After a standard installation of Linux you will see a network icon in the system bar of desktop environment. If you click on it you will see a list of options to configure NetworkManager.

Connection settings that you make in the GUI are stored as plain text files under /etc/NetworkManager/system-connections . (Explanation of all settings:
https://developer.gnome.org/NetworkManager/stable/ref-settings.html )

In addition to configure wireless networks, NetworkManager offers some other useful features:

  • You can integrate NetworkManager with desktop encryption tools like kwallet to prevent passwords from being saved in plain text to the configuration files.
  • You can integrate NetworkManager with firewalld to automatically assign WiFi networks to firewall zones.
  • You can configure NetworkManager to automatically use a VPN connection once you are connected to a specific WiFi network.

General configuration

NetworkManager screenshot: General configuration

Automatically connect to this network when it is available
In most cases leave this unchecked. Otherwise there might be occasions where you involuntary connect to the WiFi network.

All users may connect to this network
Only check this option if you want to share your wifi configuration with other Linux user accounts.

Automatically connect to VPN when using this connection
Useful when using an insecure public WiFi hotspot that you only want to use in combination with a VPN tunnel.

Firewall zone
If you are using firewalld and firewall-config, you may associate this WiFi network with a specific firewall zone. If empty the default firewall zone will be used automatically.

Priority
The dialog box layout is a little bit misleading because this field has nothing to do with the previous "Firewall zone" field. If there is more than one of the "Automatically connect to this network ..." wifi networks available, "Priority" defines the order in which those networks will be activated. The first successful connection will be used.

Wi-Fi

NetworkManager screenshot: Wi-Fi

SSID
Name of wifi network. Use dropdown list to see all available networks. If you don't see any networks here, make sure that wifi is switched on and enabled and that NetworkManager is running.

Mode
For normal network access, choose "Infrastructure".
"Ad-hoc" lets you connect directly to another wifi client without using an access point in between.
"Access Point" lets you act as an access point yourself.

BSSID
Physical id of the access point. The network you have chosen under "SSID" might have several access points. Here you can chose the one with the best signal strength.

Restrict to device
If you have more than one wifi network cards, you can restrict the wifi network to only one of them. Usually you leave this blank.

Cloned MAC address
A MAC address is like a unique serial number for every network card. There should not be two network cards with the same MAC address on the same network. Sometimes in very rare cases, two network cards have the same MAC address. If this is the case, you will have problems connecting to the network or experience other weird problems. Choose another MAC address, but make sure to use the "Random..." button.

Another situation where you might use this field is when the network is protected and configured to accept only certain MAC addresses. This is not a fool proof security feature, but it helps to keep random surfers out of public accessible wifi networks. In this case you need to get a valid MAC address from the network administrator and type it in here. Make sure it is not in use by someone else on the same wifi network.

In most cases leave this field blank.

MTU
Leave this to "Automatic".

Visibility
If the network name does not show in the network dropdown list (SSID), but you are still sure that it is a valid network name, you might want to check "Hidden network".

Command line

NetworkManager can also be controlled from the command line with "nmcli".

Display current state of NetworkManager service
$ nmcli g
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN     
connected  full          enabled  enabled  enabled  enabled

Show a list of all network connections
$ nmcli c  
mynetwork           abababab-cdcd-12cc-bbef-1212121212ab  802-11-wireless  wlan0 

Stop wifi network
$ nmcli c down id mynetwork

Start wifi network
$ nmcli c up id mynetwork

 

5. wpa_supplicant

wpa_supplicant runs as a service process in the background. Connections are stored by default in /etc/wpa_supplicant/wpa_supplicant.conf .

Sample configuration file with detailed explanations:
/usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf.gz

The wpa_supplicant background service can be controlled from the command line with "wpa_cli".

Display list of all command line parameters
$ wpa_cli help

Display a list of configured networks
$ wpa_cli list_networks
0       mynetwork 0a:ab:ee:ef:2a:ef       [CURRENT]

Start wifi network
$ wpa_cli enable_network 0

Stop wifi network
$ wpa_cli disable_network 0

Show current wifi connection status
$ wpa_cli status

 

Share