service-name.config - ConnMan service provisioning file
/var/lib/connman/service-name.config
ConnMan's services are configured with so called
"provisioning files" which reside under
/var/lib/connman/. The files can be named anything, as long as they
end in .config. The provisioning files can be used to configure for
example secured wireless access points which need complex authentication,
for example eduroam, or for static IPs and so on. Each provisioning file can
be used for multiple services at once.
The configuration file consists of sections (groups) of key-value
pairs. Lines beginning with a '#' and blank lines are considered comments.
Sections are started by a header line containing the section enclosed in '['
and ']', and ended implicitly by the start of the next section or the end of
the file. Each key-value pair must be contained in a section.
Description of sections and available keys follows:
This section is optional, and can be used to describe the actual
file. The two allowed fields for this section are:
- Name=name
- Name of the network.
- Description=description
- Description of the network.
Each provisioned service must start with a [service_*] tag, with *
replaced by an unique name within the file. The allowed fields are:
- Type=ethernet
| wifi
- Mandatory. Other types than ethernet or wifi are not supported.
- IPv4=off | dhcp | network/netmask/gateway
- IPv4 settings for the service. If set to off, IPv4 won't be used.
If set to dhcp, dhcp will be used to obtain the network settings.
netmask can be specified as length of the mask rather than the mask
itself. The gateway can be omitted when using a static IP.
- IPv6=off | auto | network/prefixlength/gateway
- IPv6 settings for the service. If set to off, IPv6 won't be used.
If set to auto, settings will be obtained from the network.
- IPv6.Privacy=disabled
| enabled | preferred
- IPv6 privacy settings as per RFC3041.
- MAC=address
- MAC address of the interface to be used. If not specified, the first found
interface is used. Must be in format ab:cd:ef:01:23:45.
- Nameservers=servers
- Comma separated list of nameservers.
- SearchDomains=domains
- Comma separated list of DNS search domains.
- Timeservers=servers
- Comma separated list of timeservers.
- Domain=domain
- Domain name to be used.
- The following keys can only be
used for wireless networks:
- Name=name
- A string representation of an network SSID. If the SSID field is present,
the Name field is ignored. If the SSID field is not present, this field is
mandatory.
- SSID=ssid
- SSID: A hexadecimal representation of an 802.11 SSID. Use this format to
encode special characters including starting or ending spaces.
- Passphrase=passphrase
- RSN/WPA/WPA2 Passphrase.
- Security=type
- The security type of the network. Possible values are psk (WPA/WPA2
PSK), ieee8021x (WPA EAP), none and wep. When not
set, the default value is ieee8021x if an EAP type is configured,
psk if a passphrase is present and none otherwise.
- Hidden=true
| false
- If set to true, then this AP is hidden. If missing or set to
false, then AP is not hidden.
- The following keys are used
for WPA EAP (when Security=ieee8021x):
- EAP=tls | ttls
| peap
- EAP type to use. Only tls, ttls and peap are
supported.
- CACertFile=file
- Path to the CA certificate file. Only PEM and DER formats are
supported.
- PrivateKeyFile=file
- Path to the private key file. Only PEM, DER and PFX formats are
supported.
- PrivateKeyPassphrase=passphrase
- Passphrase of the private key.
- PrivateKeyPassphraseType=fsid
- If specified, use the private key's fsid as the passphrase, and ignore the
PrivateKeyPassphrase field.
- Identity=identity
- Identity string for EAP.
- AnonymousIdentity=identity
- Anonymous identity string for EAP.
- SubjectMatch=substring
- Substring to be matched against the subject of the authentication server
certificate for EAP.
- AltSubjectMatch=substring
- Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate for
EAP.
- DomainSuffixMatch=domain
- Constraint for server domain name. If set, this FQDN is used as a suffix
match requirement for the authentication server certificate for EAP.
- DomainMatch=domain
- This FQDN is used as a full match requirement for the authentication
server certificate for EAP.
- Phase2=type
- Inner authentication type with for EAP=tls or EAP=ttls.
Prefix the value with EAP- to indicate usage of EAP-based
authentication method (should only be used with EAP=ttls).
This is a configuration file for eduroam networks. This file could
for example be /var/lib/connman/eduroam.config. Your university's exact
settings might be different.
[service_eduroam]
Type = wifi
Name = eduroam
EAP = peap
Phase2 = MSCHAPV2
CACertFile = /etc/ssl/certs/UNIV_CA.crt
This is a configuration file for a network providing EAP-TLS,
EAP-TTLS and EAP-PEAP services. The respective SSIDs are tls_ssid, ttls_ssid
and peap_ssid and the file name could be
/var/lib/connman/complex.config.
Please note that the SSID entry is for hexadecimal encoded SSID
(e.g. "SSID = 746c735f73736964"). If your SSID does not contain
any exotic character then you should use the Name entry instead (e.g.
"Name = tls_ssid").
[global]
Name = Example
Description = Example network configuration
[service_tls]
Type = wifi
SSID = 746c735f73736964
EAP = tls
CACertFile = /home/user/.certs/ca.pem
ClientCertFile = /home/user/devlp/.certs/client.pem
PrivateKeyFile = /home/user/.certs/client.fsid.pem
PrivateKeyPassphraseType = fsid
Identity = user
[service_ttls]
Type = wifi
Name = ttls_ssid
EAP = ttls
CACertFile = /home/user/.cert/ca.pem
Phase2 = MSCHAPV2
Identity = user
[service_peap]
Type = wifi
Name = peap_ssid
EAP = peap
CACertFile = /home/user/.cert/ca.pem
Phase2 = MSCHAPV2
Identity = user
[service_home_ethernet]
Type = ethernet
IPv4 = 192.168.1.42/255.255.255.0/192.168.1.1
IPv6 = 2001:db8::42/64/2001:db8::1
MAC = 01:02:03:04:05:06
Nameservers = 10.2.3.4,192.168.1.99
SearchDomains = my.home,isp.net
Timeservers = 10.172.2.1,ntp.my.isp.net
Domain = my.home
[service_home_wifi]
Type = wifi
Name = my_home_wifi
Passphrase = password
IPv4 = 192.168.2.2/255.255.255.0/192.168.2.1
MAC = 06:05:04:03:02:01