Wpa supplicant (简体中文)

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
翻译状态:本文是 WPA supplicant翻译。上次翻译日期:2019-03-12。如果英文版本有所更改,则您可以帮助同步翻译。

wpa_supplicant 是跨平台的 WPA 请求者程序(supplicant),支持 WEP、WPA 和 WPA2(IEEE 802.11i).。可以在桌面、笔记本甚至嵌入式系统中使用。

wpa_supplicant 是在客户端使用的 IEEE 802.1X/WPA 组件,支持与 WPA Authenticator 的交互,控制漫游和无线驱动的IEEE 802.11 验证和关联。

安装

安装 wpa_supplicant 软件包。此软件包提供了主程序 wpa_supplicant,密码工具 wpa_passphrase 和文字界面前端 wpa_cli.

此外软件包 wpa_supplicant_guiAUR 提供了图形界面 wpa_guiwpa-cuteAURwpa_gui 的一个分支,提供了额外的修正和改进。

概览

连接到加密无线网络的第一步是让 wpa_supplicant 获取 WPA 认证者的认证。为此, wpa_supplicant 必须进行配置以使其能够向认证者提交认证信息。

完成认证后需要分配 IP 地址,请参考:Network configuration#IP addresses

用 wpa_cli 连接

This connection method allows scanning for available networks, making use of wpa_cli, a command line tool which can be used to configure wpa_supplicant. See wpa_cli(8) for details.

In order to use wpa_cli, a control interface must be specified for wpa_supplicant, and it must be given the rights to update the configuration. Do this by creating a minimal configuration file:

/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1

Now start wpa_supplicant with:

# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/wpa_supplicant.conf
提示: To discover your wireless network interface name, issue the ip link command.

At this point run:

# wpa_cli

This will present an interactive prompt (>), which has tab completion and descriptions of completed commands.

提示: The default location of the control socket is /var/run/wpa_supplicant/, custom path can be set manually with the -p option to match the wpa_supplicant configuration. It is also possible to specify the interface to be configured with the -i option, otherwise the first found wireless interface managed by wpa_supplicant will be used.

Use the scan and scan_results commands to see the available networks:

> scan
OK
<3>CTRL-EVENT-SCAN-RESULTS
> scan_results
bssid / frequency / signal level / flags / ssid
00:00:00:00:00:00 2462 -49 [WPA2-PSK-CCMP][ESS] MYSSID
11:11:11:11:11:11 2437 -64 [WPA2-PSK-CCMP][ESS] ANOTHERSSID

To associate with MYSSID, add the network, set the credentials and enable it:

> add_network
0
> set_network 0 ssid "MYSSID"
> set_network 0 psk "passphrase"
> enable_network 0
<2>CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed (reauth) [id=0 id_str=]

If the SSID does not have password authentication, you must explicitly configure the network as keyless by replacing the command set_network 0 psk "passphrase" with set_network 0 key_mgmt NONE.

注意:
  • Each network is indexed numerically, so the first network will have index 0.
  • The PSK is computed from the quoted "passphrase" string, as also shown by the wpa_passphrase command. Nonetheless, you can enter the PSK directly by passing it to psk without quotes.

Finally save this network in the configuration file:

> save_config
OK

Once association is complete, you must obtain an IP address, for example, using dhcpcd.

带 wpa 通行字的连接

用命令行工具 wpa_passphrase 生成 wpa_supplicant 所需的最小配置,可以快速连接到已知 SSID 的无线网络。例如:

$ wpa_passphrase MYSSID passphrase
network={
    ssid="MYSSID"
    #psk="passphrase"
    psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d
}

上例表明,wpa_supplicant 可以与 wpa_passphrase 协同工作,只需简单地这样即可做:

# wpa_supplicant -B -i interface -c <(wpa_passphrase MYSSID passphrase)
注意: 由于存在进程替换,这个命令不能sudo 方式执行,必须切换到 root 身份。否则会报错:
Successfully initialized wpa_supplicant
Failed to open config file '/dev/fd/63', error: No such file or directory
Failed to read or parse configuration '/dev/fd/63'
参阅:Help:Reading (简体中文)#一般用户还是 root 用户
提示:
  • 如果输入内容包含空格请使用引号。例如:"secret passphrase"
  • 要找出无线网卡的名字,使用 ip link 命令。
  • 某些不常用的复杂通行字要求从文件输入,例如:wpa_passphrase MYSSID < passphrase.txt;或者从命令行输入,例如:wpa_passphrase MYSSID <<< "passphrase"

连接后需要获取 IP 地址,可以使用 dhcpcd.

高级用法

对于各种纷繁复杂的网络,更常见的场景是使用 EAP 管理配置文件。各种配置及其范例可参阅手册页wpa_supplicant.conf(5);所有可支持的配置参数可参考范例文件 /etc/wpa_supplicant/wpa_supplicant.conf

配置

如上文中#带 wpa 通行字的连接一节所述,一个基本的配置文件可以这样生成:

# wpa_passphrase MYSSID passphrase > /etc/wpa_supplicant/example.conf

这样仅仅是创建了一个网络配置节段。包含更多通用配置项的配置文件类似下面这样:

/etc/wpa_supplicant/example.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
fast_reauth=1
ap_scan=1

network={
    ssid="MYSSID"
    psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d
}

如果可以不顾及安全问题,其中的通行字可以换成由引号包围的纯文本:

network={
    ssid="MYSSID"
    psk="passphrase"
}

如果某一网络没有设置通行字,比如一个公共无线网络,就是这样:

network={
    ssid="MYSSID"
    key_mgmt=NONE
}

Further network blocks may be added manually, or using wpa_cli as illustrated in #用 wpa_cli 连接. In order to use wpa_cli, a control interface must be set with the ctrl_interface option. Setting ctrl_interface_group=wheel allows users belonging to such group to execute wpa_cli. This setting can be used to enable users without root access (or equivalent via sudo etc) to connect to wireless networks. Also add update_config=1 so that changes made with wpa_cli to example.conf can be saved. Note that any user that is a member of the ctrl_interface_group group will be able to make changes to the file if this is turned on.

fast_reauth=1 and ap_scan=1 are the wpa_supplicant options active globally at the time of writing. Whether you need them, or other global options too for that matter, depends on the type of network to connect to. If you need other global options, simply copy them over to the file from /etc/wpa_supplicant/wpa_supplicant.conf.

Alternatively, wpa_cli set can be used to see options' status or set new ones. Multiple network blocks may be appended to this configuration: the supplicant will handle association to and roaming between all of them. The strongest signal defined with a network block usually is connected to by default, one may define priority= to influence behaviour.

An advantage to be mentioned in using a customized configuration file at /etc/wpa_supplicant/wpa_supplicant.conf is that it is used by default by dhcpcd. If you do so, you might want to make a backup of the original and delete the extensive network block examples in it. Otherwise, do not be surprised if your device suddenly connects to networks defined in them. In any case, changes to new versions of the configuration file should of course be merged.

提示: To configure a network block to a hidden wireless SSID, which by definition will not turn up in a regular scan, the option scan_ssid=1 has to be defined in the network block.

连接

手动连接

First start wpa_supplicant command, whose most commonly used arguments are:

  • -B - Fork into background.
  • -c filename - Path to configuration file.
  • -i interface - Interface to listen on.
  • -D driver - Optionally specify the driver to be used. For a list of supported drivers see the output of wpa_supplicant -h.
    • nl80211 is the current standard, but not all wireless chip's modules support it.
    • wext is currently deprecated, but still widely supported.

See wpa_supplicant(8) for the full argument list. For example:

# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/example.conf

followed by a method to obtain an ip address manually as indicated in the #概览, for example:

# dhcpcd interface
提示: dhcpcd has a hook that can lauch wpa_supplicant implicitly, see dhcpcd#10-wpa_supplicant.

引导时连接(systemd)

wpa_supplicant 软件包中提供了多个 systemd 服务文件:

  • wpa_supplicant.service - 使用 D-Bus ,建议 NetworkManager 用户使用。
  • wpa_supplicant@.service - 接受网口名作为参数,启动服务于该网口的 wpa_supplicant 守护进程。这个服务将读取 /etc/wpa_supplicant/wpa_supplicant-interface.conf 这个配置文件。
  • wpa_supplicant-nl80211@.service - 同样接受网口名作为参数,但明确限定使用 nl80211 驱动(详阅下文)。它的配置文件是 /etc/wpa_supplicant/wpa_supplicant-nl80211-interface.conf
  • wpa_supplicant-wired@.service - 同样接受网口名作为参数,使用 wired(有线网络)驱动。它的配置文件是 /etc/wpa_supplicant/wpa_supplicant-wired-interface.conf

在引导时激活无线网络,就是激活服务于某个无线网络接口的上述服务单元之一。

现在就可以像概览一节所述,可以选定某个网络接口并激活其服务单元的一个实例,从而获取一个 IP 地址。

提示: dhcpcd 可以后台加载 wpa_supplicant ,参阅 dhcpcd (简体中文)#10-wpa_supplicant.
802.1x/radius

To connect a wired adapter using 802.1x/radius you will need to specify some configurations and enable the necessary service for the adapter. This is useful for headless servers using networkd.

Replace adapter with the wired adapter you wish to connect, and adapt the settings to match your 802.1x/radius requirements.

/etc/wpa_supplicant/wpa_supplicant-wired-adapter.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
network={
  key_mgmt=IEEE8021X
  eap=PEAP
  identity="user_name"
  password="user_password"
  phase2="autheap=MSCHAPV2"
}
提示: The same configuration, but for a wireless adapter, would require changing IEEE8021X to WPA-EAP and removing the ap_scan=0 line

Since this file is storing a plaintext password, chown it to root:root and chmod it to 600.

Before running the wpa_supplicant-wired@adapter.service service, make sure to set the device down:

# ip link set adapter down
提示: This setup can be used during system installation as well, though you may want to run using dhcpcd@adapter.service to solicit an address.

wpa_cli 操作脚本

wpa_cli can run in daemon mode and execute a specified script based on events from wpa_supplicant. Two events are supported: CONNECTED and DISCONNECTED. Some environment variables are available to the script, see wpa_cli(8) for details.

The following example will use desktop notifications to notify the user about the events:

#!/bin/bash

case "$2" in
    CONNECTED)
        notify-send "WPA supplicant: connection established";
        ;;
    DISCONNECTED)
        notify-send "WPA supplicant: connection lost";
        ;;
esac

Remember to make the script executable, then use the -a flag to pass the script path to wpa_cli:

$ wpa_cli -a /path/to/script

排错

警告: Make sure that you are not using the default configuration file at /etc/wpa_supplicant/wpa_supplicant.conf, which is filled with uncommented examples that will lead to lots of random errors in practice. This is a known packaging bug of the wpa_supplicant package: FS#40661.

某些硬件上 nl80211 驱动不支持

On some (especially old) hardware, wpa_supplicant may fail with the following error:

Successfully initialized wpa_supplicant
nl80211: Driver does not support authentication/association or connect commands
wlan0: Failed to initialize driver interface

This indicates that the standard nl80211 driver does not support the given hardware. The deprecated wext driver might still support the device:

# wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant/example.conf

If the command works to connect, and the user wishes to use systemd to manage the wireless connection, it is necessary to edit the wpa_supplicant@.service unit provided by the package and modify the ExecStart line accordingly:

/etc/systemd/system/wpa_supplicant@.service.d/wext.conf
[Service]
ExecStart=
ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I -Dnl80211,wext
注意: Multiple comma separated driver wrappers in option -Dnl80211,wext makes wpa_supplicant use the first driver wrapper that is able to initialize the interface (see wpa_supplicant(8)). This is useful when using mutiple or removable (e.g. USB) wireless devices which use different drivers.

挂载了网络共享(CIFS)时的关机问题

When you use wireless to connect to network shares you might have the problem that the shutdown takes a very long time. That is because systemd runs against a 3 minute timeout. The reason is that WPA supplicant is shut down too early, i.e. before systemd tries to unmount the share(s). A bug report suggests a work-around by editing the wpa_supplicant@.service as follows:

/etc/systemd/system/wpa_supplicant.service.d/override.conf
[Unit]
After=dbus.service

口令相关的问题

wpa_supplicant may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as failed 4-way WPA handshake, PSK may be wrong when launching wpa_supplicant.

In order to solve this try using here strings wpa_passphrase <MYSSID> <<< "<passphrase>" or passing a file to the -c flag instead:

$ wpa_supplicant -i <interface> -c /etc/wpa_supplicant/wpa_supplicant.conf

In some instances it was found that storing the passphrase cleartext in the psk key of the wpa_supplicant.conf network block gave positive results (see [1]). However, this approach is rather insecure. Using wpa_cli to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.

参阅