Bug 48128 - ucs-school-ntlm-auth breaks with certain passwords
ucs-school-ntlm-auth breaks with certain passwords
Product: UCS@school
Classification: Unclassified
Component: Radius
UCS@school 4.3
Other All
: P5 normal (vote)
: UCS@school 4.3 v6
Assigned To: Sönke Schwardt-Krummrich
Jürn Brodersen
Depends on:
  Show dependency treegraph
Reported: 2018-11-09 14:19 CET by Michael Grandjean
Modified: 2018-11-16 11:48 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2018-11-09 14:19:52 CET
This looks like the same problem as Bug #38785 but for ucs-school-radius-802.1x:

Using certain passwords causes a Traceback in "ucs-school-ntlm-auth" and thus prevents users from using the WLAN via RADIUS.

root@schule01ucs:~# univention-app info
UCS: 4.3-2 errata291
Installed: cups=2.2.1 dhcp-server=12.0 samba4=4.7 squid=3.5 ucsschool=4.3 v5

ucs-school-radius-802.1x -> 7.0.0-8A~

1. Create a student (e.g. using the UCS@school "Benutzer (Schulen)" wizard) with a certain password
2. Stop freeradius.service on the schoolserver and start it in debug mode: "freeradius -X"
3. Check RADIUS/MSCHAP authentication on the school server via:
$ radtest -t mschap $USERNAME "$PASSWORD" localhost 0 testing123
4. Check the debug output of "freeradius -X" - it should show this Traceback:

> Traceback (most recent call last):
>   File "/usr/bin/ucs-school-ntlm-auth", line 180, in <module>
>     sys.exit(main())
>   File "/usr/bin/ucs-school-ntlm-auth", line 167, in main
>     if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response:
>   File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 84, in ChallengeResponse
>     Response = DesEncrypt(Challenge, ZPasswordHash[0:7])
>   File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 57, in DesEncrypt
>     return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data)
>   File "/usr/lib/pymodules/python2.7/univention/pyDes.py", line 400, in __init__
>     raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.")
> ValueError: Invalid DES key size. Key must be exactly 8 bytes long.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-11-09 16:16:46 CET
(In reply to Michael Grandjean from comment #0)
> This looks like the same problem as Bug #38785 but for
> ucs-school-radius-802.1x:

Unfortunately is IS the same problem :-(
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-11-09 16:37:40 CET
# univention-ldapsearch uid=anton9 sambaNTPassword -LLL
dn: uid=anton9,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local
sambaNTPassword: 00563126F04F3875C417F789B00E72D2

00563126F04F3875C417F789B00E72D2 → "taylor21."

As in the original bug mentioned the following commands will produce a traceback:

console1# service freeradius stop
console1# freeradius -X
console2# radtest -t mschap anton9 "taylor21." localhost 0 testing123
→ traceback in console1 → reject in console2

Please keep in mind, that the correct internet rule has to be applied to the users class group, otherwise RADIUS will also reject the user after the bug has been fixed (but without traceback).

b57ff8185 Bug #48128: update advisory
0d611c888 Bug #48128: add advisory
566fd4181 Bug #48128: added changelog entry
df2a0a4a3 Bug #48128: fixed key expansion for des encryption in pyMsChapV2.py

Package: ucs-school-radius-802.1x
Version: 7.0.1-2A~
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 5 Jürn Brodersen univentionstaff 2018-11-12 09:39:17 CET
Bug fixed: OK
Tests: OK
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-11-16 11:48:18 CET
UCS@school 4.3 v6 has been released.


If this error occurs again, please clone this bug.