cvs commit: src/sbin/ifconfig ifconfig.8 ifconfig.c ifconfig.h ifieee80211.c

Sam Leffler sam at
Thu Jul 14 21:53:23 GMT 2005

Robert Watson wrote:
> On Thu, 14 Jul 2005, Sam Leffler wrote:
>>>   Add a new flag '-k' to ifconfig(8), indicating that it is alright to
>>>   print potentially sensitive keying material to stdout.  With the new
>>>   802.11 support, ifconfig(8) is now capable of printing 802.11 keys,
>>>   and did by default for the root user, which is undesirable in some
>>>   environments.  Now it will not print keying material unless requested
>>>   (and available to the user).
>> I thought we'd agreed NOT to do this.
> Remind me what we'd agreed should be done?  Printing the 802.11 key on 
> the console during boot is undesirable.  I recollect vaguely we had 
> thought about removing printing the key entirely, only it struck me this 
> was actually a useful feature, so "-k" allows you to do that.  
> Especially since we are trying to avoid forcing people to use wicontrol, 
> etc.

You repeatedly asked me to add this option.  Each time I said I didn't 
think it was a great idea.  You then committed it w/o discussion (with 
me at least).

ifconfig prints the key material only when invoked by root.  This is the 
way it's been all along and the way wiconfig still works and which we 
are trying to eliminate by extending ifconfig.

As to printing sensitive material I question how important this is.  If 
it's a wep key it's trivially cracked by other means.  If it's a WPA or 
802.1x key then it's rotated frequently and, for WPA at least, protected 
by addiitonal means that makes grabbing it via screen-scrape much less 
useful (only the GTK is displayed for WPA, not the PTK which is 
potentially more sensitive).  If you want to improve the situation for 
disclosing sensitive info then we should work on adding keychain style 
storage for sensitive info like static keys and wpa-psk's.

So I guess my argument against this is you're changing long-standing 
behaviour w/ little benefit.


More information about the cvs-src mailing list