Skip to content

Latest commit

 

History

History
256 lines (247 loc) · 16.7 KB

TODO.org

File metadata and controls

256 lines (247 loc) · 16.7 KB

change shared secret for hostapd/radius

  • and store it in a secure location for hostapd
  • we could auto-generate this
  • hostapd doesn’t seem to have any way to put the secret in a different file

auto-generate certificates

  • add options for setting certificate options, e.g. name
  • auto-generate certificates
  • store them in /var/lib/freeradius ? -> probably not; where are the SSH private keys? -> /etc/ssh

automatically enable 4-address mode if requested

add script to generate user cert

  • similar to the script for task server
  • also generate pfx file for android:

accounting shouldn’t use user name for client cert

-> workaround: force user name to match certificate

WONTFIX add option for putting the users file in another place

  • radius group must have access and the user cannot do that before the group exists
  • We can copy the file to the statedir - on start and reload.
  • We cannot easily add this for reload so let the user do it - that way, she knows about the imperfections.

How is the structure of the certificates?

  • In particular: If client certificates are also signed by the CA - what stops them from impersonating the server? Clients can check the common name but the default is to not do that.
  • I think the type of the certificate is different - the config file either has [client] or [server].
  • From the generated certificate files (02.pem vs. 05.pem): X509v3 extensions: X509v3 Extended Key Usage:
    • TLS Web Server Authentication
    • TLS Web Client Authentication

WONTFIX fix 4addr mode

revocation

cleanup old files in tlscache

  • This command is suggested in the example config: find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;

WONTFIX don’t split options, i.e. don’t use services.hostapd?

  • option 1: copy services.wifi-ap-eap.hostapd to services.hostapd if enabled
  • option 2: don’t enable services.hostapd; copy the relevant parts to our .nix files

test systemd config

  • Systemd has the very annoying feature that it ignores unknown keys in config files. I get why they do this and this can often be useful for backward compatible unit files. However, it often masks errors in the files. The infamous example is “User = 0day”.
  • I just learned that there is a command to check unit files. It can be applied to all of them like that: find -L /etc/systemd/{system,user} -type f ! -name “*.conf” -exec systemd-analyze verify {} \+
  • There are some false positives:
    • emergency.service tries to start plymouth but errors are masked with “-“.
    • Lots of man pages don’t exist. We probably don’t care, i.e. having the reference in the unit file is still useful even if we don’t install that man page.
  • Furthermore, we usually want to check a config before applying it and we need to do so in the right context, e.g. don’t complain that “foo” cannot be started if it is present in the new system but not the old one.
  • There remaining errors are: systemd-journal-gatewayd.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, …). Refusing. Unit systemd-journal-gatewayd.socket has a bad unit file setting. -> mostly empty, should probably be missing alltogether [email protected]: Failed to create [email protected]/start: Unit i.mount not found. -> I don’t think this is ever referenced with instance=”i” but systemd mis-interprets the empty instance name and checks “Before=i.mount” instead of “Before=%i.mount”. syslog.socket: Service syslog.service not loaded, syslog.socket cannot be started. -> I think the socket shouldn’t exist if the service is not active. -> The service is gated by services.rsyslogd.enable. The socket is always part of upstreamSystemUnits in systemd.nix.
  • find -L result/etc/systemd/{system,user} -type f ! -name ”.conf” ! -name “*@.” -exec systemd-analyze verify {} \+ 2>&1|grep -v man
  • Point in case for using a chroot/mount namespace: I had tested my script with three result links. The first one had a correct hostapd.service, the second one had the bug and the third one was an old one without hostapd. The script was correct for the first two but it was reporting the error for the third one - presumably because it was also looking at files of my current system.

WONTFIX missing network interfaces shouldn’t delay boot

  • I have looked through lots of .nix files and I still don’t know how to do that…
  • Can we at least do this for the wifi? -> I don’t know

don’t use inner-tunnel directly?

  • https://wiki.freeradius.org/guide/eduroam
  • This says that hostapd should send requests to the default virtual host, which forwards to the eap module, which in turn forwards to inner-tunnel if necessary (e.g. for TTLS).
  • I should try that.
  • The default site is already enabled so I only have to change the port.
  • I think that should also get rid of the error message that was logged for rejected auth.

Am I using modern, fast wifi?

  • https://wireless.wiki.kernel.org/en/users/documentation/hostapd
  • https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  • hw_mode only enables b/g/a. We need ieee80211n and probably ht_capab.
  • My card doesn’t support much of ht_capab according to `iw list`.
  • The example has `wme_enabled=1` which should be “Wireless Multimedia Extensions”. The example hostapd.conf has `wmm_enabled=1` which is probably the same thing. `wme_enabled=1` seems to work - at least it doesn’t cause any error.
  • “20/40 MHz operation not permitted on channel pri=7 sec=11 based on overlapping BSSes”
  • Fixed by `ht_capab=[HT40-]` because the other SSIDs are on higher channels.
  • That makes it much slower: 0-4 Mbit instead of 70/30 Mbit for https://beta.speedtest.net/
  • iperf 2, median of 3 measurements, 1-2m distance:
    settingslaptop -> apap -> laptop
    g, no n2425.5
    ieee80211n=169 Mbit, 8462 Mbit, 85
    ht40-2, 0.07, 1610, 0.8, 2
    ht20-9186
    ht20+9287
    ht20-, wme=19187
    ht20-, wmm=19187
    ch=1, ht40+, wmm10.53
    ht20-, w/ usb cable910
    w/o cable again5228

off-topic: weird setting of TMPDIR/TEMPDIR

  • `nix-shell -p openssl` has all of TEMPDIR, TEMP, TMPDIR, TMP set to /run/user/0.
  • A normal shell doesn’t have that. `mktemp` creates files in /tmp.
  • That difference means that emacsclient won’t work in nix-shell because it tries to connect to the wrong socket.

put clients into different VLANs

  • How do we add additional attributes when using certificates? Can we do that in the users file anyway?
  • What do we have to do to make VLANs work? Can we do something other than VLANs, e.g. bridge some users to ethernet and others to a private bridge for VMs?
  • This is how to apply additional attributes with SQL: https://wiki.freeradius.org/modules/Rlm_sql https://linuskarlsson.se/blog/radius-authentication-and-dynamic-vlan-assignment-for-wpa2-enterprise-using-sqlite-in-freeradius/
  • We should be able to do this in /etc/wifi-ap-eap/users, though.
  • Test it: Make a service that is only accessible from a certain VLAN/interface.
    • socat TCP-LISTEN:1235,fork EXEC:”echo blub”
    • #iptables -I INPUT -i wifiap.2 -p tcp –dport 1235 -j ACCEPT –> will not work because packets come from br0
    • ebtables -I INPUT –in-if wifiap.2 -j mark –set-mark 2 –mark-target CONTINUE
    • iptables -I INPUT -i br0 -p tcp –dport 1235 -m mark –mark 2/2 -j ACCEPT
    • nc 192.168.1.23 1235
  • I could also try using the sqlite database for that. This might come in handy if I ever make a tool to interface with the database, e.g. the admin can assign groups and VLANs in a web UI.
    • insert into radusergroup(‘username’, ‘groupname’) values (‘test1’, ‘testgroup’);
    • insert into radgroupreply(‘groupname’, ‘attribute’, ‘op’, ‘value’) values (‘testgroup’, ‘Tunnel-Type’, ‘:=’, ‘13’), (‘testgroup’, ‘Tunnel-Medium-Type’, ‘:=’, ‘6’), (‘testgroup’, ‘Tunnel-Private-Group-ID’, ‘:=’, ‘“42”’);
    • nixos-wifi-ap-eap client test test1.zip
    • That is looking good. SQL seems to win over the users file.
    • tcpdump -i wifiap.42 icmp
    • on the wifi station: ping example.com
  • One might want explicit entries for some of the VLANs in the vlan_file: Otherwise, hostapd will remove the interfaces if no client is using it anymore and that may be annoying, e.g. an active tcpdump on that interface will be aborted.

publish the config somewhere

add my TPM experiments to this git

try lorri

  • add lorri config to TPM dir with packages: tpm2-tools python3
  • lorri doesn’t seem to support anything akin to `direnv allow` for its shell.nix.
    • This cannot be true, can it?
    • I don’t see anything in the README nor any issues about this.
  • This thread is interesting:
  • There is already `use nix -p …` in normal direnv but I guess this doesn’t do async build in the background and it doesn’t add gcroots.
  • Other problems with lorri:
    • The user service doesn’t start as root.
      • Error: `ERRO Bind error: Io(Os { code: 30, kind: Other, message: “Read-only file system” })`
      • This may be due to `ProtectHome=read-only` in the service file but it does work for other users.
    • The default `.direnv` file should print a useful message if lorri is not available, e.g. a link to the repository.
  • legy recommends: Make a default.nix that builds the .envrc and run it like this: `nix build -f . –out-link .envrc`
    • Unfortunately, he doesn’t have any code available in a public repo.
    • That way, nix-build will add the gcroot and the usual `direnv allow` mechanism will work.
    • //However, this also means that we won’t be able to notify the user about updates. –> see below
    • I probably want to use mkShell but that won’t work out-of-the-box. The source is here: /nix/var/nix/profiles/per-user/root/channels/nixos/pkgs/build-support/mkshell/default.nix
    • I think, I can make a shell.nix that modifies the build phase of mkShell to generate the envrc.
  • So, let’s try this:
    • Make a shell.nix with pkgs.mkShell but modify the build phase to generate an envrc.
    • We can probably generate the envrc by `direnv export` if this does the right thing for PATH.
    • Add options for setting additional variables.
    • Add some code to the envrc that adds a watch on shell.nix and prints a message if the file is newer than what was used to build that envrc - if we can do that.
  • How does lorri track dependencies?
  • FIXME: My current method of running $stdenv/setup in the .envrc does not work.
    • I think, I should probably use lorri’s helper files.
    • Also rename “path-only” to “simple” and use `old` value passend to `override` to get additional variables.
  • FIXME: Actually do something with the watched files.
    • Put them in Nix store or next to the .envrc.
    • The .envrc should add them to direnv watch and notify the user if they have changed.

port my accounting display to different functional languages/frameworks

Is there a TodoMVC example app for all of them?

  • This seems to be implemented for lots of frameworks. If we have this for all of them, this may be useful as a more complete example.

Elm

Haskell: miso

Haskell: redux-frp

Rust Frameworks

Rust: percy

Rust: dodrio

Scala-js: Binding.scala

Scala-js: laminar?

test with ESP32

persistent names for network devices

  • services.udev.extraRules = ”KERNEL==”eth*”, ATTR{address}==”xx:yy:..”, NAME=”ethX””;
  • alternative that didn’t work for queezle: systemd.network.links.eth.{matchConfig,linkConfig}