Machine authentication

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu Mar 30 07:06:51 EST 2006


Jacky wrote:
> Thanks, in fact I am using wpa_supplicant on Linux.

That might be a bit of a problem...

> I manage to find the current user's certifcate in the cert MMC. 
> However, when I try to export the certificate, I can not export the 
> private key.

There's a flag that you can set when generating or importing a cert that
tells Windows that it can't export the private key.  AFAICT there's no
way around that either (although I'm not a cryptanalyst; the encryption
on the file is likely pretty weak, given Microsoft's history in this area).

In theory, you could replace advapi32.dll with a version that unsets the
"don't allow exporting" flag when either CryptGenKey or CryptImportKey
are called, but I could never get this to work (it always resulted in an
access violation).  But I tried a "wrapper" DLL, so it may be that you
could do something similar to what the unofficial IE jscript.dll patch
does (patch the file in place somehow).  You'd definitely want to undo
the patch later though.

Or maybe someone else has an idea?

> Also what format should I export it to (DER/Base-64/.P7B)?

If you want to export the private key, then your only option is PKCS12
format, whatever extension that is.  The other two will only allow you
to export the cert itself (at least, on 2000 that's the case, I'm not
sure about XP).

> Another question is: can I actually find out what's the machine
> account password and can I use the machine account password instead?

If you're a member of the domain, then this password changes from time
to time.  You could install a password-change-sniffer DLL on the DC and
get the password from it (in fact we have something similar set up on
our domain for our user passwords, so that we can unlock users' desktops
when they aren't there, without killing all their programs), but if you
don't handle it securely, it's a pretty gaping hole in the network's
security.

If your user has a cert (you seemed to imply it above, though I don't
know if I read that right), then could you perhaps use your user's
password?  That might be simpler.  (With the Windows supplicant, you
wouldn't be able to get at that until you logged on.  But if you know
the password, you can set Linux up to use it regardless of who's logged
on, as long as it lets you on the network.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060330/1ab24439/attachment.pgp 


More information about the HostAP mailing list