Eduroam is a great Wi-Fi network setup for students. With certificate based authentication, setting it up securely is a bit of a hassle. Once done, however, one benefits from a per device Wi-Fi encryption key and international roaming capabilities. I very much like the system and have described my experiences here and here. For Ubuntu 16.04 and later, however, the security configuration has changed and one has to be careful as there is no security warning if an old setup is reused. Read on for the details.
When recently setting up Eduroam again after installing Ubuntu 16.04 from scratch I played around with the security parameters in the configuration file and noticed that the certificate matching no longer works. This opens the door for password fishing attacks and is a real security issue.
Hat tip to the Leibnitz Rechenzentrum who have noticed the same thing and updated their (German) Ubuntu Eduroam setup description right after Ubuntu 16.04 has been released. While previously, certificate matching was done with the subject-match= parameter, it is now done with domain-suffix-match=. For details on where the parameter has to be changed have a look at my original post.
To check if certificate matching works just enter a wrong string after the parameter, restart the NetworkManager service and try connecting to the Eduroam Wi-Fi network again. Here’s an output from the system log produced by a successful and failed attempt if you are interested.
While a change of parameters over time is understandable and the authors of NetworkManager have deprecated the old parameter long ago it’s a bit of a shame that it makes an existing configuration insecure without warning.