Hi folks,
I'm testing Porteus Kiosk Edition version 4.6.0 now.
The wizard helps greatly in the case when I use a wired connection. Unfortunately if I want to use my Eduroam account and wifi I'm fairly out of luck.
The setup process only helps configuring PEAP but there is no option to select TTLS (as EAP method) and PAP as phase2 protocol (both mandatory for using Eduroam).
I know that wpa_supplicant can be configured this way and therefore I only need to rewrite the wpa_supplicant.conf in the /etc/ directory, rebuild the iso and have a running kiosk edition.
I read the tutorials for extracting and rebuilding the xzm modules and created successfully an iso file of the kiosk edition where I have a bash prompt now.
While the system is running I can easily find and access the /etc/wpa_supplicant.conf . Clearly it shows me the configuration I made using the wizard.
But if I extract the iso file I can't find the wpa_supplicant.conf. Neither 'find' nor 'grep' helps me here as they don't show me where the wpa_supplicant.conf is generated or saved. I have only an idea about starting the wpa_supplicant itself (/etc/rc.d/rc.M starts /etc/rc.d/rc.inet1 which reads the wpa_supplicant.conf).
After messing around with these files I searched this forum for a solution. I only found the post from fanthom Re: Porteus Kiosk Edition v2.0 beta feedback (Post by fanthom #11023) where the wpa_supplicant.conf has been moved to the /rootcopy folder. But some later post by fanthom Re: Kiosk.iso -/rootcopy Folder where ? (Post by fanthom #29717) mentions that the /rootcopy folder itself caused issues and has been deleted since version 3.1.
Obviously the needed /etc/wpa_supplicant.conf is not saved in 003-settings.xzm, but I can't figure out where the configuration file is created and where the data for it comes from.
So my question is: How can I configure the wpa_supplicant.conf and save it in a way that the generated iso file contains the new configuration?
Have a nice day
EEx-I/O
[Solved] Modify wpa_supplicant.conf
Forum rules
Porteus Kiosk section of the forum is unmaintained now. Its kept in a 'read only' mode for archival purposes.
Please use the kiosk contact page for directing your queries: https://porteus-kiosk.org/contact.html
Porteus Kiosk section of the forum is unmaintained now. Its kept in a 'read only' mode for archival purposes.
Please use the kiosk contact page for directing your queries: https://porteus-kiosk.org/contact.html
[Solved] Modify wpa_supplicant.conf
Last edited by eexio on 26 May 2018, 19:37, edited 1 time in total.
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
- Contact:
Modify wpa_supplicant.conf
Hello eexio,
1) wpa_supplicant.conf is generated on the fly during every kiosk boot from parameters included in the kiosk config. If you want to override it then simply create startup script in /etc/rc.d/local_cli.d:
2) TLS requires valid certificates. How are you going to update them once they expire or needs to be changed?
By remastering the ISO and reinstalling the kiosk? Unless they will be stored on a persistent partition?
Asking cause i was thinking about implementing official support for EAP-TLS but stopped as did not know how to handle the task of updating certificates.
BTW: i have deleted your doubled thread.
Thanks
1) wpa_supplicant.conf is generated on the fly during every kiosk boot from parameters included in the kiosk config. If you want to override it then simply create startup script in /etc/rc.d/local_cli.d:
Code: Select all
#!/bin/sh
cp -a /opt/storage/wpa_supplicant.conf /etcBy remastering the ISO and reinstalling the kiosk? Unless they will be stored on a persistent partition?
Asking cause i was thinking about implementing official support for EAP-TLS but stopped as did not know how to handle the task of updating certificates.
BTW: i have deleted your doubled thread.
Thanks
Please add [Solved] to your thread title if the solution was found.
[Solved] Modify wpa_supplicant.conf
Hello fanthom,
thanks for the solution. After messing around with the credentials it works now.
I'm sorry for the late response, but I didn't have time to write down a complete solution, yet.
OK, for all people, who try to get their Eduroam account working on Porteus Kiosk, here is a solution:
1st step: Make an ISO file using the wizard. I tested wifi only. Hence no experience with the other connections.
2nd step: Save the ISO file in a Linux environment where you have installed the squashfs-tools (mksquashfs and unsquashfs are needed)
3rd step: Mount the ISO file, create a subfolder (I name it 'tmp_iso' here), copy all files and subdirectories to it and unmount the ISO file
4th step: If you don't have a mkisofs by now, it's time to get one. Use
This will create a subfolder called 001-core and extract all of the module in it. Now copy the mkisofs to the root folder of your distro:
Change the line in the make_iso.sh so that it runs
instead of
Why using the mkisofs from Porteus itself? Well, I used mkisofs from cdr-kit at first and it didn't work. cdrtools were not easy to install and after solving that problem my version 3.02a09 seemed not to run at first. After some restarting of services I got it working, but I assume that it is easier to extract the mkisofs from the ISO than to tell your package manager switching to a different package and risking a dependency hell.
5th step: Now extract 003-settings.xzm:
6th step: Write your wpa_supplicant.conf file. In my case it worked with the following settings:
Normally Eduroam uses AES as encryption which means CCMP instead of TKIP as parameter 'pairwise'. But wpa_supplicant has a good detection for this and therefore you may leave it blank.
Save that config in
And save the certificate as a PEM file in the same folder.
7th step: Write a bash file which replaces the wpa_supplicant.conf. I call it 'reconfig_wifi.sh':
The lines with 'chmod' are not mandatory for a working solution, but highly recommended as they secure the copied files.
Save this file in the directory:
and make it executable by root:
8th step: Create a module with the replaced files:
and replace the 003-settings.xzm in the original directory with this patched version:
9th step: Create the iso file:
Last step: use the newly created iso file.
1st. Replace it in the tmp_iso directory and remaster the iso
2nd. Save it on the harddrive/SSD
3rd. Read from flash drive (not usable if usb has been locked down)
IMHO best practice would be the wizard allows to type in credentials and reads the pem file from flash drive. The certificate normally doesn't change twice a month so it seems to be ok if the iso has been remastered.
This is the way I go: I have a script which modifies an existing iso file in the way I described. So changing the certificate is just changing the pem file, starting the script and using the recreated iso file.
Kind regards,
EEx-I/O
thanks for the solution. After messing around with the credentials it works now.
I'm sorry for the late response, but I didn't have time to write down a complete solution, yet.
Yeah, that did the trick.fanthom wrote: ↑25 May 2018, 04:191) wpa_supplicant.conf is generated on the fly during every kiosk boot from parameters included in the kiosk config. If you want to override it then simply create startup script in /etc/rc.d/local_cli.d:Code: Select all
#!/bin/sh cp -a /opt/storage/wpa_supplicant.conf /etc
OK, for all people, who try to get their Eduroam account working on Porteus Kiosk, here is a solution:
1st step: Make an ISO file using the wizard. I tested wifi only. Hence no experience with the other connections.
2nd step: Save the ISO file in a Linux environment where you have installed the squashfs-tools (mksquashfs and unsquashfs are needed)
3rd step: Mount the ISO file, create a subfolder (I name it 'tmp_iso' here), copy all files and subdirectories to it and unmount the ISO file
4th step: If you don't have a mkisofs by now, it's time to get one. Use
Code: Select all
unsquashfs -f -d 001-core tmp_iso/xzm/001-core.xzmCode: Select all
cp 001-core/usr/bin/mkisofs tmp_iso/Code: Select all
./mkisofs ...Code: Select all
mkisofs5th step: Now extract 003-settings.xzm:
Code: Select all
unsquashfs -f -d 003-settings tmp_iso/xzm/003-settings.xzmCode: Select all
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="eduroam"
ca_cert="/etc/cert/<CERTIFICATE>.pem"
identity="<YOUR_ACCOUNT_NAME_HERE>"
password="<YOUR_PASSWORD_HERE>"
key_mgmt=WPA-EAP
eap=TTLS
phase2="auth=PAP"
priority=2
anonymous_identity="<ANONYMOUS_IDENTITY>"
}Save that config in
Code: Select all
003-settings/opt/storage/my_settings/7th step: Write a bash file which replaces the wpa_supplicant.conf. I call it 'reconfig_wifi.sh':
Code: Select all
#!/bin/sh
mkdir -p /etc/cert
cp -a /opt/storage/my_settings/<CERTIFICATE>.pem /etc/cert/
chmod 400 /etc/cert/<CERTIFICATE>.pem
cp -a /opt/storage/my_settings/wpa_supplicant.conf /etc/
chmod 400 /etc/wpa_supplicant.confSave this file in the directory:
Code: Select all
tmp_iso/rc.d/local_cli.d/reconfig_wifi.shCode: Select all
chmod u+x tmp_iso/rc.d/local_cli.d/reconfig_wifi.shCode: Select all
mksquashfs 003-settings ./003-settings.xzm -comp xz -b 256K -Xbcj x86 -noappendCode: Select all
cp 003-settings.xzm tmp_iso/xzm/Code: Select all
cd tmp_iso
./make_iso.shWith Porteus Kiosk there are just three ways for getting the certificate imported:fanthom wrote: ↑25 May 2018, 04:192) TLS requires valid certificates. How are you going to update them once they expire or needs to be changed?
By remastering the ISO and reinstalling the kiosk? Unless they will be stored on a persistent partition?
Asking cause i was thinking about implementing official support for EAP-TLS but stopped as did not know how to handle the task of updating certificates.
1st. Replace it in the tmp_iso directory and remaster the iso
2nd. Save it on the harddrive/SSD
3rd. Read from flash drive (not usable if usb has been locked down)
IMHO best practice would be the wizard allows to type in credentials and reads the pem file from flash drive. The certificate normally doesn't change twice a month so it seems to be ok if the iso has been remastered.
This is the way I go: I have a script which modifies an existing iso file in the way I described. So changing the certificate is just changing the pem file, starting the script and using the recreated iso file.
Thank you. I messed up and sent it twice. Sorry for that.
Kind regards,
EEx-I/O
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
- Contact:
[Solved] Modify wpa_supplicant.conf
"The certificate normally doesn't change twice a month so it seems to be ok if the iso has been remastered."
Things get complicated if you have multiple kiosks spread on different sites across the country (ISO reinstallation requires traveling).
How do you normally update cert file for non kiosk systems? Is it centralized (e.g. pushed through some Windows app distribution software) or you need to manually load the cert from the network/usb for each PC before the old cert expires?
Thanks
Things get complicated if you have multiple kiosks spread on different sites across the country (ISO reinstallation requires traveling).
How do you normally update cert file for non kiosk systems? Is it centralized (e.g. pushed through some Windows app distribution software) or you need to manually load the cert from the network/usb for each PC before the old cert expires?
Thanks
Please add [Solved] to your thread title if the solution was found.
