Univention Bugzilla – Bug 48128
ucs-school-ntlm-auth breaks with certain passwords
Last modified: 2018-11-16 11:48:18 CET
This looks like the same problem as Bug #38785 but for ucs-school-radius-802.1x: Using certain passwords causes a Traceback in "ucs-school-ntlm-auth" and thus prevents users from using the WLAN via RADIUS. root@schule01ucs:~# univention-app info UCS: 4.3-2 errata291 Installed: cups=2.2.1 dhcp-server=12.0 samba4=4.7 squid=3.5 ucsschool=4.3 v5 Upgradable: ucs-school-radius-802.1x -> 7.0.0-8A~4.3.0.201804111426 1. Create a student (e.g. using the UCS@school "Benutzer (Schulen)" wizard) with a certain password 2. Stop freeradius.service on the schoolserver and start it in debug mode: "freeradius -X" 3. Check RADIUS/MSCHAP authentication on the school server via: $ radtest -t mschap $USERNAME "$PASSWORD" localhost 0 testing123 4. Check the debug output of "freeradius -X" - it should show this Traceback: > Traceback (most recent call last): > File "/usr/bin/ucs-school-ntlm-auth", line 180, in <module> > sys.exit(main()) > File "/usr/bin/ucs-school-ntlm-auth", line 167, in main > if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response: > File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 84, in ChallengeResponse > Response = DesEncrypt(Challenge, ZPasswordHash[0:7]) > File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 57, in DesEncrypt > return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data) > File "/usr/lib/pymodules/python2.7/univention/pyDes.py", line 400, in __init__ > raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.") > ValueError: Invalid DES key size. Key must be exactly 8 bytes long.
(In reply to Michael Grandjean from comment #0) > This looks like the same problem as Bug #38785 but for > ucs-school-radius-802.1x: Unfortunately is IS the same problem :-(
# univention-ldapsearch uid=anton9 sambaNTPassword -LLL dn: uid=anton9,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local sambaNTPassword: 00563126F04F3875C417F789B00E72D2 00563126F04F3875C417F789B00E72D2 → "taylor21." As in the original bug mentioned the following commands will produce a traceback: console1# service freeradius stop console1# freeradius -X console2# radtest -t mschap anton9 "taylor21." localhost 0 testing123 → traceback in console1 → reject in console2 Please keep in mind, that the correct internet rule has to be applied to the users class group, otherwise RADIUS will also reject the user after the bug has been fixed (but without traceback). b57ff8185 Bug #48128: update advisory 0d611c888 Bug #48128: add advisory 566fd4181 Bug #48128: added changelog entry df2a0a4a3 Bug #48128: fixed key expansion for des encryption in pyMsChapV2.py Package: ucs-school-radius-802.1x Version: 7.0.1-2A~4.3.0.201811091632 Branch: ucs_4.3-0 Scope: ucs-school-4.3
Bug fixed: OK Tests: OK YAML: OK
UCS@school 4.3 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html If this error occurs again, please clone this bug.