Security Issue: How secure is sending confidential credentials via wpa_cli type interface?

Jouni Malinen jkmaline at cc.hut.fi
Sun Aug 6 00:09:53 EDT 2006


On Sat, Aug 05, 2006 at 03:24:35PM -0400, Bryan Kadzban wrote:

> A thought on the security of the pipe(s):
> 
> When you add support for securing them, it would probably be the easiest
> from a code perspective to let the config file use an SDDL string to set
> up the permissions.

The current CVS snapshot is now doing this. Would you happen to have any
useful examples of SDDL strings for this kind of use? Like I mentioned
earlier, I'm not really familiar with Windows security descriptors (and
don't have much interest in becoming familiar ;-). I tested this with an
empty DACL and that seemed to reject all connections, so at least the
base functionality seems to be working properly.

The format for setting SDDL string is as follows (with the silly deny
everyone example):

ctrl_interface=SDDL=D:


Anyway, this seems to be much better mechanism for the control interface
on Windows than UDP socket, so I will likely change the example
makefiles and projects to use this and build the binary releases with
named pipes as the control interface mechanism.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list