Index: head/usr.sbin/wpa/hostapd/hostapd.8 =================================================================== --- head/usr.sbin/wpa/hostapd/hostapd.8 (revision 195643) +++ head/usr.sbin/wpa/hostapd/hostapd.8 (revision 195644) @@ -1,134 +1,134 @@ .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd October 26, 2007 .Dt HOSTAPD 8 .Os .Sh NAME .Nm hostapd .Nd "authenticator for IEEE 802.11 networks" .Sh SYNOPSIS .Nm .Op Fl BdhKtv .Op Fl P Ar pidfile .Ar config-file ... .Sh DESCRIPTION The .Nm utility is an authenticator for IEEE 802.11 networks. It provides full support for WPA/IEEE 802.11i and can also act as an IEEE 802.1X Authenticator with a suitable backend Authentication Server (typically .Tn FreeRADIUS ) . The .Nm utility implements the authentication protocols that piggyback on top of the normal IEEE 802.11 protocol mechanisms. To use .Nm as an authenticator, the underlying device must support some basic functionality such as the ability to set security information in the 802.11 management frames. Beware that not all devices have this support. .Pp The .Nm utility is designed to be a .Dq daemon program that runs in the background and acts as the backend component controlling the wireless connection. It supports separate frontend programs such as the text-based frontend, .Xr hostapd_cli 8 . .Pp The following arguments must be specified on the command line: .Bl -tag -width indent .It Ar config-file Use the settings in the specified configuration file; the name of the specified wireless interface is contained in this file. See .Xr hostapd.conf 5 for a description of the configuration file syntax. .Pp Changes to the configuration file can be reloaded by sending a .Dv SIGHUP to the .Nm processor or with the .Xr hostapd_cli 8 utility, using .Dq Li "hostapd_cli reconfigure" . .El .Sh OPTIONS The options are as follows: .Bl -tag -width indent .It Fl d Enable debugging messages. If this option is supplied twice, more verbose messages are displayed. .It Fl h Show help text. .It Fl t Include timestamps in debugging output. .It Fl v Display version information on the terminal and exit. .It Fl B Detach from the controlling terminal and run as a daemon process in the background. .It Fl K Include key information in debugging output. .It Fl P Ar pidfile Store PID in .Ar pidfile . .El .Sh SEE ALSO .Xr ath 4 , .Xr ipw 4 , .Xr iwi 4 , .Xr ral 4 , .Xr ural 4 , .Xr wi 4 , .Xr hostapd.conf 5 , .Xr hostapd_cli 8 , .Xr ifconfig 8 .Sh HISTORY The .Nm utility first appeared in .Fx 6.0 . .Sh AUTHORS The .Nm utility was written by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the .Nm distribution. Index: head/usr.sbin/wpa/hostapd/hostapd.conf.5 =================================================================== --- head/usr.sbin/wpa/hostapd/hostapd.conf.5 (revision 195643) +++ head/usr.sbin/wpa/hostapd/hostapd.conf.5 (revision 195644) @@ -1,210 +1,210 @@ .\" Copyright (c) 2005 Sam Leffler .\" Copyright (c) 2006 Rui Paulo .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd September 2, 2006 .Dt HOSTAPD.CONF 5 .Os .Sh NAME .Nm hostapd.conf .Nd configuration file for .Xr hostapd 8 utility .Sh DESCRIPTION The .Xr hostapd 8 utility is an authenticator for IEEE 802.11 networks. It provides full support for WPA/IEEE 802.11i and can also act as an IEEE 802.1X Authenticator with a suitable backend Authentication Server (typically .Tn FreeRADIUS ) . .Pp The configuration file consists of global parameters and domain specific configuration: .Bl -bullet -offset indent -compact .It IEEE 802.1X-2004 .\" XXX not yet .\" .It .\" Integrated EAP server .\" .It .\" IEEE 802.11f - Inter-Access Point Protocol (IAPP) .It RADIUS client .It RADIUS authentication server .It WPA/IEEE 802.11i .El .Sh GLOBAL PARAMETERS The following parameters are recognized: .Bl -tag -width indent .It Va interface Interface name. Should be set in .Dq hostap mode. .It Va debug Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive. .It Va dump_file Dump file for state information (on .Dv SIGUSR1 ) . .It Va ctrl_interface The pathname of the directory in which .Xr hostapd 8 creates .Ux domain socket files for communication with frontend programs such as .Xr hostapd_cli 8 . .It Va ctrl_interface_group A group name or group ID to use in setting protection on the control interface file. This can be set to allow non-root users to access the control interface files. If no group is specified, the group ID of the control interface is not modified and will, typically, be the group ID of the directory in which the socket is created. .El .Sh IEEE 802.1X-2004 PARAMETERS The following parameters are recognized: .Bl -tag -width indent .It Va ieee8021x Require IEEE 802.1X authorization. .It Va eap_message Optional displayable message sent with EAP Request-Identity. .It Va wep_key_len_broadcast Key lengths for broadcast keys. .It Va wep_key_len_unicast Key lengths for unicast keys. .It Va wep_rekey_period Rekeying period in seconds. .It Va eapol_key_index_workaround EAPOL-Key index workaround (set bit7) for WinXP Supplicant. .It Va eap_reauth_period EAP reauthentication period in seconds. To disable reauthentication, use .Dq 0 . .\" XXX not yet .\" .It Va use_pae_group_addr .El .\" XXX not yet .\" .Sh IEEE 802.11f - IAPP PARAMETERS .\" The following parameters are recognized: .\" .Bl -tag -width indent .\" .It Va iapp_interface .\" Interface to be used for IAPP broadcast packets .\" .El .Sh RADIUS CLIENT PARAMETERS The following parameters are recognized: .Bl -tag -width indent .It Va own_ip_addr The own IP address of the access point (used as NAS-IP-Address). .It Va nas_identifier Optional NAS-Identifier string for RADIUS messages. .It Va auth_server_addr , auth_server_port , auth_server_shared_secret RADIUS authentication server parameters. Can be defined twice for secondary servers to be used if primary one does not reply to RADIUS packets. .It Va acct_server_addr , acct_server_port , acct_server_shared_secret RADIUS accounting server parameters. Can be defined twice for secondary servers to be used if primary one does not reply to RADIUS packets. .It Va radius_retry_primary_interval Retry interval for trying to return to the primary RADIUS server (in seconds). .It Va radius_acct_interim_interval Interim accounting update interval. If this is set (larger than 0) and acct_server is configured, .Xr hostapd 8 will send interim accounting updates every N seconds. .El .Sh RADIUS AUTHENTICATION SERVER PARAMETERS The following parameters are recognized: .Bl -tag -width indent .It Va radius_server_clients File name of the RADIUS clients configuration for the RADIUS server. If this is commented out, RADIUS server is disabled. .It Va radius_server_auth_port The UDP port number for the RADIUS authentication server. .It Va radius_server_ipv6 Use IPv6 with RADIUS server. .El .Sh WPA/IEEE 802.11i PARAMETERS The following parameters are recognized: .Bl -tag -width indent .It Va wpa Enable WPA. Setting this variable configures the AP to require WPA (either WPA-PSK or WPA-RADIUS/EAP based on other configuration). .It Va wpa_psk , wpa_passphrase WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that will be converted to PSK. This conversion uses SSID so the PSK changes when ASCII passphrase is used and the SSID is changed. .It Va wpa_psk_file Optionally, WPA PSKs can be read from a separate text file (containing a list of (PSK,MAC address) pairs. .It Va wpa_key_mgmt Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). .It Va wpa_pairwise Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets). See the example file for more information. .It Va wpa_group_rekey Time interval for rekeying GTK (broadcast/multicast encryption keys) in seconds. .It Va wpa_strict_rekey Rekey GTK when any STA that possesses the current GTK is leaving the BSS. .It Va wpa_gmk_rekey Time interval for rekeying GMK (master key used internally to generate GTKs), in seconds. .El .Sh SEE ALSO .Xr hostapd 8 , .Xr hostapd_cli 8 .Sh HISTORY The .Nm manual page and .Xr hostapd 8 functionality first appeared in .Fx 6.0 . .Sh AUTHORS This manual page is derived from the .Pa README and .Pa hostapd.conf files in the .Nm hostapd distribution provided by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . Index: head/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 =================================================================== --- head/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 (revision 195643) +++ head/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 (revision 195644) @@ -1,112 +1,112 @@ .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd June 16, 2005 .Dt HOSTAPD_CLI 8 .Os .Sh NAME .Nm hostapd_cli .Nd text-based frontend program for interacting with .Xr hostapd 8 .Sh SYNOPSIS .Nm .Op Ar commands .Sh DESCRIPTION The .Nm utility is a text-based frontend program for interacting with .Xr hostapd 8 . It is used to query the current status. .Pp The .Nm utility can show the current authentication status, dot11 and dot1x MIBs, etc. .Pp The .Nm utility supports two modes: interactive and command line. Both modes share the same command set. .Pp Interactive mode is started when .Nm is executed without any parameters on the command line. Commands are then entered from the controlling terminal in response to the .Nm prompt. In command line mode, the same commands are entered as command line arguments. .Sh COMMANDS The following commands may be supplied on the command line or at a prompt when operating interactively. .Bl -tag -width indent .It Ic mib Report MIB variables (dot1x, dot11) for the current interface. .It Ic sta Ar addr Report the MIB variables for the associated station with MAC address .Ar addr . .It Ic all_sta Report the MIB variables for all associated stations. .It Ic help Show usage help. .It Ic interface Op Ar ifname Show available interfaces and/or set the current interface when multiple are available. .It Ic level Ar debug_level Change the debugging level in .Xr hostapd 8 . Larger numbers generate more messages. .It Ic license Display the full license for .Nm . .It Ic quit Exit .Nm . .El .Sh SEE ALSO .Xr hostapd.conf 5 , .Xr hostapd 8 .Sh HISTORY The .Nm utility first appeared in .Fx 6.0 . .Sh AUTHORS The .Nm utility was written by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the .Nm hostapd distribution. Index: head/usr.sbin/wpa/wpa_cli/wpa_cli.8 =================================================================== --- head/usr.sbin/wpa/wpa_cli/wpa_cli.8 (revision 195643) +++ head/usr.sbin/wpa/wpa_cli/wpa_cli.8 (revision 195644) @@ -1,222 +1,222 @@ .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd June 16, 2005 .Dt WPA_CLI 8 .Os .Sh NAME .Nm wpa_cli .Nd "text-based frontend program for interacting with wpa_supplicant" .Sh SYNOPSIS .Nm .Op Ar commands .Sh DESCRIPTION The .Nm utility is a text-based frontend program for interacting with .Xr wpa_supplicant 8 . It is used to query current status, change configuration, trigger events, and request interactive user input. .Pp The .Nm utility can show the current authentication status, selected security mode, dot11 and dot1x MIBs, etc. In addition, .Nm can configure EAPOL state machine parameters and trigger events such as reassociation and IEEE 802.1X logoff/logon. .Pp The .Nm utility provides an interface to supply authentication information such as username and password when it is not provided in the .Xr wpa_supplicant.conf 5 configuration file. This can be used, for example, to implement one-time passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response. .Pp The .Nm utility supports two modes: interactive and command line. Both modes share the same command set and the main difference is in interactive mode providing access to unsolicited messages (event messages, username/password requests). .Pp Interactive mode is started when .Nm is executed without any parameters on the command line. Commands are then entered from the controlling terminal in response to the .Nm prompt. In command line mode, the same commands are entered as command line arguments. .Pp The control interface of .Xr wpa_supplicant 8 can be configured to allow non-root user access by using the .Va ctrl_interface_group parameter in the .Xr wpa_supplicant.conf 5 configuration file. This makes it possible to run .Nm with a normal user account. .Sh AUTHENTICATION PARAMETERS When .Xr wpa_supplicant 8 needs authentication parameters, such as username and password, that are not present in the configuration file, it sends a request message to all attached frontend programs, e.g., .Nm in interactive mode. The .Nm utility shows these requests with a .Dq Li CTRL-REQ- Ns Ao Ar type Ac Ns Li - Ns Ao Ar id Ac Ns Li : Ns Aq Ar text prefix, where .Aq Ar type is .Li IDENTITY , PASSWORD , or .Li OTP (One-Time Password), .Aq Ar id is a unique identifier for the current network, .Aq Ar text is a description of the request. In the case of an .Li OTP (One-Time Password) request, it includes the challenge from the authentication server. .Pp A user must supply .Xr wpa_supplicant 8 the needed parameters in response to these requests. .Pp For example, .Bd -literal -offset indent CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword Example request for generic token card challenge-response: CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876 .Ed .Sh COMMANDS The following commands may be supplied on the command line or at a prompt when operating interactively. .Bl -tag -width indent .It Ic status Report the current WPA/EAPOL/EAP status for the current interface. .It Ic mib Report MIB variables (dot1x, dot11) for the current interface. .It Ic help Show usage help. .It Ic interface Op Ar ifname Show available interfaces and/or set the current interface when multiple are available. .It Ic level Ar debug_level Change the debugging level in .Xr wpa_supplicant 8 . Larger numbers generate more messages. .It Ic license Display the full license for .Nm . .It Ic logoff Send the IEEE 802.1X EAPOL state machine into the .Dq logoff state. .It Ic logon Send the IEEE 802.1X EAPOL state machine into the .Dq logon state. .It Ic set Op Ar settings Set variables. When no arguments are supplied, the known variables and their settings are displayed. .It Ic pmksa Show the contents of the PMKSA cache. .It Ic reassociate Force a reassociation to the current access point. .It Ic reconfigure Force .Xr wpa_supplicant 8 to re-read its configuration file. .It Ic preauthenticate Ar BSSID Force preauthentication of the specified .Ar BSSID . .It Ic identity Ar network_id identity Configure an identity for an SSID. .It Ic password Ar network_id password Configure a password for an SSID. .It Ic otp Ar network_id password Configure a one-time password for an SSID. .It Ic terminate Force .Xr wpa_supplicant 8 to terminate. .It Ic quit Exit .Nm . .El .Sh SEE ALSO .Xr wpa_supplicant.conf 5 , .Xr wpa_supplicant 8 .Sh HISTORY The .Nm utility first appeared in .Fx 6.0 . .Sh AUTHORS The .Nm utility was written by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the .Nm wpa_supplicant distribution. Index: head/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 =================================================================== --- head/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 (revision 195643) +++ head/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 (revision 195644) @@ -1,66 +1,66 @@ .\" Copyright (c) 2006 Henrik Brix Andersen .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd July 17, 2007 .Dt WPA_PASSPHRASE 8 .Os .Sh NAME .Nm wpa_passphrase .Nd "utility for generating a 256-bit pre-shared WPA key from an ASCII passphrase" .Sh SYNOPSIS .Nm .Aq Ar ssid .Op Ar passphrase .Sh DESCRIPTION The .Nm utility is a small program for generating a 256-bit pre-shared WPA key from an ASCII passphrase and a given SSID. The output is formatted for inclusion in .Xr wpa_supplicant.conf 5 . .Pp If .Nm is called with only an SSID as argument it will prompt for a passphrase on standard input. .Sh SEE ALSO .Xr wpa_supplicant.conf 5 , .Xr wpa_supplicant 8 .Sh HISTORY The .Nm utility first appeared in .Fx 6.3 . .Sh AUTHORS The .Nm utility was written by .An Jouni Malinen -.Aq jkmaline@cc.hut.fi . +.Aq j@w1.fi . .Pp This manual page was written by .An Henrik Brix Andersen .Aq henrik@brixandersen.dk . Index: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 =================================================================== --- head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 (revision 195643) +++ head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 (revision 195644) @@ -1,155 +1,155 @@ .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd March 24, 2008 .Dt WPA_SUPPLICANT 8 .Os .Sh NAME .Nm wpa_supplicant .Nd "WPA/802.11i Supplicant for wireless network devices" .Sh SYNOPSIS .Nm .Op Fl BdehLqsvw .Fl i Ar ifname .Fl c Ar config-file .Sh DESCRIPTION The .Nm utility is an implementation of the WPA Supplicant component, i.e., the part that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with an Authentication Server. In addition, .Nm controls the roaming and IEEE 802.11 authentication/association support of the .Xr wlan 4 module and can be used to configure static WEP keys based on identified networks. .Pp The .Nm utility is designed to be a .Dq daemon program that runs in the background and acts as the backend component controlling the wireless connection. It supports separate frontend programs such as the text-based .Xr wpa_cli 8 program. .Pp The following arguments must be specified on the command line: .Bl -tag -width indent .It Fl i Ar ifname Use the specified wireless interface. .It Fl c Ar config-file Use the settings in the specified configuration file when managing the wireless interface. See .Xr wpa_supplicant.conf 5 for a description of the configuration file syntax and contents. .Pp Changes to the configuration file can be reloaded by sending a .Dv SIGHUP to the .Nm process or with the .Xr wpa_cli 8 utility, using .Dq Li "wpa_cli reconfigure" . .El .Sh OPTIONS The following options are available: .Bl -tag -width indent .It Fl d Enable debugging messages. If this option is supplied twice, more verbose messages are displayed. .It Fl e Use an external IEEE 802.1X Supplicant program and disable the internal Supplicant. This option is not normally used. .It Fl h Show help text. .It Fl q Decrease debugging verbosity (i.e., counteract the use of the .Fl d flag). .It Fl s Send log messages through .Xr syslog 3 instead of to the terminal. .It Fl v Display version information on the terminal and exit. .It Fl w If the specified interface is not present, wait for it to be added; e.g.\& a cardbus device to be inserted. This option is not normally used; instead, .Xr devd 8 should be configured to launch .Nm when a device is created. .It Fl B Detach from the controlling terminal and run as a daemon process in the background. .It Fl K Include key information in debugging output. .It Fl L Display the license for this program on the terminal and exit. .El .Sh SEE ALSO .Xr an 4 , .Xr ath 4 , .Xr ipw 4 , .Xr iwi 4 , .Xr ral 4 , .Xr rum 4 , .Xr ural 4 , .Xr wi 4 , .Xr wlan 4 , .Xr wpi 4 , .Xr zyd 4 , .Xr wpa_supplicant.conf 5 , .Xr devd 8 , .Xr ifconfig 8 , .Xr wpa_cli 8 .Sh HISTORY The .Nm utility first appeared in .Fx 6.0 . .Sh AUTHORS The .Nm utility was written by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the .Nm distribution. Index: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 =================================================================== --- head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 (revision 195643) +++ head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 (revision 195644) @@ -1,545 +1,545 @@ .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd July 8, 2007 .Dt WPA_SUPPLICANT.CONF 5 .Os .Sh NAME .Nm wpa_supplicant.conf .Nd configuration file for .Xr wpa_supplicant 8 .Sh DESCRIPTION The .Xr wpa_supplicant 8 utility is an implementation of the WPA Supplicant component, i.e., the part that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server using configuration information stored in a text file. .Pp The configuration file consists of optional global parameter settings and one or more network blocks, e.g.\& one for each used SSID. The .Xr wpa_supplicant 8 utility will automatically select the best network based on the order of the network blocks in the configuration file, network security level (WPA/WPA2 is preferred), and signal strength. Comments are indicated with the .Ql # character; all text to the end of the line will be ignored. .Sh GLOBAL PARAMETERS Default parameters used by .Xr wpa_supplicant 8 may be overridden by specifying .Pp .Dl parameter=value .Pp in the configuration file (note no spaces are allowed). Values with embedded spaces must be enclosed in quote marks. .Pp The following parameters are recognized: .Bl -tag -width indent .It Va ctrl_interface The pathname of the directory in which .Xr wpa_supplicant 8 creates .Ux domain socket files for communication with frontend programs such as .Xr wpa_cli 8 . .It Va ctrl_interface_group A group name or group ID to use in setting protection on the control interface file. This can be set to allow non-root users to access the control interface files. If no group is specified, the group ID of the control interface is not modified and will, typically, be the group ID of the directory in which the socket is created. .It Va eapol_version The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2. The .Xr wpa_supplicant 8 utility is implemented according to IEEE 802-1X-REV-d8 which defines EAPOL version to be 2. However, some access points do not work when presented with this version so by default .Xr wpa_supplicant 8 will announce that it is using EAPOL version 1. If version 2 must be announced for correct operation with an access point, this value may be set to 2. .It Va ap_scan Access point scanning and selection control; one of 0, 1 (default), or 2. Only setting 1 should be used with the .Xr wlan 4 module; the other settings are for use on other operating systems. .It Va fast_reauth EAP fast re-authentication; either 1 (default) or 0. Control fast re-authentication support in EAP methods that support it. .El .Sh NETWORK BLOCKS Each potential network/access point should have a .Dq "network block" that describes how to identify it and how to set up security. When multiple network blocks are listed in a configuration file, the highest priority one is selected for use or, if multiple networks with the same priority are identified, the first one listed in the configuration file is used. .Pp A network block description is of the form: .Bd -literal -offset indent network={ parameter=value ... } .Ed .Pp (note the leading .Qq Li "network={" may have no spaces). The block specification contains one or more parameters from the following list: .Bl -tag -width indent .It Va ssid No (required) Network name (as announced by the access point). An .Tn ASCII or hex string enclosed in quotation marks. .It Va scan_ssid SSID scan technique; 0 (default) or 1. Technique 0 scans for the SSID using a broadcast Probe Request frame while 1 uses a directed Probe Request frame. Access points that cloak themselves by not broadcasting their SSID require technique 1, but beware that this scheme can cause scanning to take longer to complete. .It Va bssid Network BSSID (typically the MAC address of the access point). .It Va priority The priority of a network when selecting among multiple networks; a higher value means a network is more desirable. By default networks have priority 0. When multiple networks with the same priority are considered for selection, other information such as security policy and signal strength are used to select one. .It Va mode IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS). Note that IBSS (adhoc) mode can only be used with .Va key_mgmt set to .Li NONE (plaintext and static WEP). .It Va proto List of acceptable protocols; one or more of: .Li WPA (IEEE 802.11i/D3.0) and .Li RSN (IEEE 802.11i). .Li WPA2 is another name for .Li RSN . If not set this defaults to .Qq Li "WPA RSN" . .It Va key_mgmt List of acceptable key management protocols; one or more of: .Li WPA-PSK (WPA pre-shared key), .Li WPA-EAP (WPA using EAP authentication), .Li IEEE8021X (IEEE 802.1x using EAP authentication and, optionally, dynamically generated WEP keys), .Li NONE (plaintext or static WEP keys). If not set this defaults to .Qq Li "WPA-PSK WPA-EAP" . .It Va auth_alg List of allowed IEEE 802.11 authentication algorithms; one or more of: .Li OPEN (Open System authentication, required for WPA/WPA2), .Li SHARED (Shared Key authentication), .Li LEAP (LEAP/Network EAP). If not set automatic selection is used (Open System with LEAP enabled if LEAP is allowed as one of the EAP methods). .It Va pairwise List of acceptable pairwise (unicast) ciphers for WPA; one or more of: .Li CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), .Li TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), .Li NONE (deprecated). If not set this defaults to .Qq Li "CCMP TKIP" . .It Va group List of acceptable group (multicast) ciphers for WPA; one or more of: .Li CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), .Li TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), .Li WEP104 (WEP with 104-bit key), .Li WEP40 (WEP with 40-bit key). If not set this defaults to .Qq Li "CCMP TKIP WEP104 WEP40" . .It Va psk WPA preshared key used in WPA-PSK mode. The key is specified as 64 hex digits or as an 8-63 character .Tn ASCII passphrase. .Tn ASCII passphrases are dynamically converted to a 256-bit key at runtime using the network SSID, or they can be statically converted at configuration time using the .Xr wpa_passphrase 8 utility. .It Va eapol_flags Dynamic WEP key usage for non-WPA mode, specified as a bit field. Bit 0 (1) forces dynamically generated unicast WEP keys to be used. Bit 1 (2) forces dynamically generated broadcast WEP keys to be used. By default this is set to 3 (use both). .It Va eap List of acceptable EAP methods; one or more of: .Li MD5 (EAP-MD5, cannot be used with WPA, used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), .Li MSCHAPV2 (EAP-MSCHAPV2, cannot be used with WPA; used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), .Li OTP (EAP-OTP, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), .Li GTC (EAP-GTC, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), .Li TLS (EAP-TLS, client and server certificate), .Li PEAP (EAP-PEAP, with tunneled EAP authentication), .Li TTLS (EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication). If not set this defaults to all available methods compiled in to .Xr wpa_supplicant 8 . Note that by default .Xr wpa_supplicant 8 is compiled with EAP support; see .Xr make.conf 5 for the .Va NO_WPA_SUPPLICANT_EAPOL configuration variable that can be used to disable EAP support. .It Va identity Identity string for EAP. .It Va anonymous_identity Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunneled identities; e.g.\& EAP-TTLS). .It Va mixed_cell Configure whether networks that allow both plaintext and encryption are allowed when selecting a BSS from the scan results. By default this is set to 0 (disabled). .It Va password Password string for EAP. .It Va ca_cert Pathname to CA certificate file. This file can have one or more trusted CA certificates. If .Va ca_cert is not included, server certificates will not be verified (not recommended). .It Va client_cert Pathname to client certificate file (PEM/DER). .It Va private_key Pathname to a client private key file (PEM/DER/PFX). When a PKCS#12/PFX file is used, then .Va client_cert should not be specified as both the private key and certificate will be read from PKCS#12 file. .It Va private_key_passwd Password for any private key file. .It Va dh_file Pathname to a file holding DH/DSA parameters (in PEM format). This file holds parameters for an ephemeral DH key exchange. In most cases, the default RSA authentication does not use this configuration. However, it is possible to set up RSA to use an ephemeral DH key exchange. In addition, ciphers with DSA keys always use ephemeral DH keys. This can be used to achieve forward secrecy. If the .Va dh_file is in DSA parameters format, it will be automatically converted into DH params. .It Va subject_match Substring to be matched against the subject of the authentication server certificate. If this string is set, the server certificate is only accepted if it contains this string in the subject. The subject string is in following format: .Pp .Dl "/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com" .It Va phase1 Phase1 (outer authentication, i.e., TLS tunnel) parameters (string with field-value pairs, e.g., .Qq Li peapver=0 or .Qq Li "peapver=1 peaplabel=1" ) . .Bl -inset .It Li peapver can be used to force which PEAP version (0 or 1) is used. .It Li peaplabel=1 can be used to force new label, .Dq "client PEAP encryption" , to be used during key derivation when PEAPv1 or newer. Most existing PEAPv1 implementations seem to be using the old label, .Dq Li "client EAP encryption" , and .Xr wpa_supplicant 8 is now using that as the default value. Some servers, e.g., .Tn Radiator , may require .Li peaplabel=1 configuration to interoperate with PEAPv1; see .Pa eap_testing.txt for more details. .It Li peap_outer_success=0 can be used to terminate PEAP authentication on tunneled EAP-Success. This is required with some RADIUS servers that implement .Pa draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., .Tn Lucent NavisRadius v4.4.0 with PEAP in .Dq "IETF Draft 5" mode). .It Li include_tls_length=1 can be used to force .Xr wpa_supplicant 8 to include TLS Message Length field in all TLS messages even if they are not fragmented. .It Li sim_min_num_chal=3 can be used to configure EAP-SIM to require three challenges (by default, it accepts 2 or 3) .It Li fast_provisioning=1 option enables in-line provisioning of EAP-FAST credentials (PAC). .El .It Va phase2 phase2: Phase2 (inner authentication with TLS tunnel) parameters (string with field-value pairs, e.g., .Qq Li "auth=MSCHAPV2" for EAP-PEAP or .Qq Li "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). .It Va ca_cert2 Like .Va ca_cert but for EAP inner Phase 2. .It Va client_cert2 Like .Va client_cert but for EAP inner Phase 2. .It Va private_key2 Like .Va private_key but for EAP inner Phase 2. .It Va private_key2_passwd Like .Va private_key_passwd but for EAP inner Phase 2. .It Va dh_file2 Like .Va dh_file but for EAP inner Phase 2. .It Va subject_match2 Like .Va subject_match but for EAP inner Phase 2. .It Va eappsk 16-byte pre-shared key in hex format for use with EAP-PSK. .It Va nai User NAI for use with EAP-PSK. .It Va server_nai Authentication Server NAI for use with EAP-PSK. .It Va pac_file Pathname to the file to use for PAC entries with EAP-FAST. The .Xr wpa_supplicant 8 utility must be able to create this file and write updates to it when PAC is being provisioned or refreshed. .It Va eap_workaround Enable/disable EAP workarounds for various interoperability issues with misbehaving authentication servers. By default these workarounds are enabled. Strict EAP conformance can be configured by setting this to 0. .El .Sh CERTIFICATES Some EAP authentication methods require use of certificates. EAP-TLS uses both server- and client-side certificates, whereas EAP-PEAP and EAP-TTLS only require a server-side certificate. When a client certificate is used, a matching private key file must also be included in configuration. If the private key uses a passphrase, this has to be configured in the .Nm file as .Va private_key_passwd . .Pp The .Xr wpa_supplicant 8 utility supports X.509 certificates in PEM and DER formats. User certificate and private key can be included in the same file. .Pp If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to a suitable PEM/DER format for use by .Xr wpa_supplicant 8 . This can be done using the .Xr openssl 1 program, e.g.\& with the following commands: .Bd -literal # convert client certificate and private key to PEM format openssl pkcs12 -in example.pfx -out user.pem -clcerts # convert CA certificate (if included in PFX file) to PEM format openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys .Ed .Sh EXAMPLES WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS as a work network: .Bd -literal # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel # # home network; allow all valid ciphers network={ ssid="home" scan_ssid=1 key_mgmt=WPA-PSK psk="very secret passphrase" } # # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers network={ ssid="work" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" } .Ed .Pp WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series): .Bd -literal ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="user@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } .Ed .Pp EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the unencrypted use. Real identity is sent only within an encrypted TLS tunnel. .Bd -literal ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="user@example.com" anonymous_identity="anonymous@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase2="auth=MD5" } .Ed .Pp Traditional WEP configuration with 104 bit key specified in hexadecimal. Note the WEP key is not quoted. .Bd -literal ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=NONE wep_tx_keyidx=0 wep_key0=42FEEDDEAFBABEDEAFBEEFAA55 } .Ed .Sh FILES .Bl -tag -width ".Pa /usr/share/examples/etc/wpa_supplicant.conf" -compact .It Pa /etc/wpa_supplicant.conf .It Pa /usr/share/examples/etc/wpa_supplicant.conf .El .Sh SEE ALSO .Xr wpa_cli 8 , .Xr wpa_passphrase 8 , .Xr wpa_supplicant 8 .Sh HISTORY The .Nm manual page and .Xr wpa_supplicant 8 functionality first appeared in .Fx 6.0 . .Sh AUTHORS This manual page is derived from the .Pa README and .Pa wpa_supplicant.conf files in the .Nm wpa_supplicant distribution provided by -.An Jouni Malinen Aq jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi .