Ask for password on network connect about netctl HOT 3 CLOSED

This would be nice, but be aware that it is tricky to get right. The functionality should (probably) use systemd-ask-password, since it has to work during boot and after, on all kinds of systems. Also, finding the correct interface may require a few iterations of code. Don't let this stop you proposing something, but keep in mind that it will not be a one-shot thing.

I am looking forward to your ideas!

from netctl.

Status update:
I've looked through the code and read documentation.
The current netctl code heavily relies on having config files (both wpa_supplicant.conf and netctl connections) on disk, changing that seems include more code rewriting than needed.
As far as I know wpa_supplicant does not support reading the password from another place than the configuration. So that limitation has to be worked around.

Solutions:

1. change wpa_supplicant's behavior (like allow reading the password from stdin)
2. storing the configuration on a tempfs (dependency on mount, tempfs and enough ram)
3. sending the configuration through a unix socket
4. remove config file or the password from it after the connection is established (password touches the disk)
5. same as 4 but clear the password from both netctl and wpa_supplicant config files

I'd rather not mess around with unix sockets or changing wpa_supplicant. Writing the password to disk and then deleting feels a bit lazy and does not entirely meet my goal of not storing the password, at least this minimizes the time it is stored.
Using a tempfs would be the way I'd go, as it should not require many changes (mostly new code which carefully mounts a tempfs)

For Implementation I'd add a setting to the netctl config, something like "ask-pass=yes". And try branching off here with the new special case.

It will probably take some time till I find time for writing a PoC, and then a bit longer for polish, documentation and testing.

EDIT: Just after writing this I find out that wpa_cli could probably be used to provide the password.
see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/README
wpa_cli -h | grep password
So we could do: wpa_cli password <network id> $(systemd-ask-pass --id=netctl:<network name>) after starting wpa_supplicant

from netctl.

With the current git version of netctl (including 8c873b4), it is easy to implement asking for a password using a hook.

Simply add the following contents to /etc/netctl/hooks/ask-password

ask_password() {
  [[ $Command != start ]] || systemd-ask-password "$Description requires a password:"
}

and mark the hook as executable through chmod +x /etc/netctl/hooks/ask-password.

Now, asking for a password is possible by including the following line in a profile:

Key=$(ask_password)

If this information is useful, please add it to the netctl wiki.

from netctl.