Bug 38785
| Summary: | univention-radius-ntlm-auth breaks with certain passwords | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
| Component: | Radius | Assignee: | Felix Botner <botner> |
| Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, walkenhorst |
| Version: | UCS 4.0 | ||
| Target Milestone: | UCS 4.0-3-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=48128 | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 38794, 39301 | ||
| Attachments: | /usr/share/pyshared/univention/pyMsChapV2.py | ||
Created attachment 7152 [details]
/usr/share/pyshared/univention/pyMsChapV2.py
Here is a replacement for /usr/share/pyshared/univention/pyMsChapV2.py from univention-radius which uses a different method for expanding keys to 8 bit (stolen from univention-squid).
Seems to work in my tests.
Maybe even better we use passlib.utils.des, which is part of the debian package python-passlib (already maintained).
This does the encryption and expansion and would be a replacement for the whole univention.pyDes stuff.
import passlib.utils.des
passlib.utils.des.des_encrypt_block(key, data)
Replaced univention.pyMsChapV2.DesEncrypt.expandDesKey() with convertKey() from univention-squid. Added some more tests. 4.0-3: r63424 4.1-0: r63427 Create Bug #39301 for replacing this with passlib.utils.des.des_encrypt_block(key, data) YAML: 2015-09-03-univention-radius.yaml OK: automated test OK: manual test * install radius app, add user lisa, univention-radius-ntlm-auth → Traceback * upgrade to fixed version of univention-radius, univention-radius-ntlm-auth → OK OK: merge to 4.1 OK: YAML |
Ticket#2015062521002132 univention-radius-ntlm-auth breaks with certain passwords used. Concrete example with user "lisa" and password "taylor21." (sambaNTPassword == 00563126F04F3875C417F789B00E72D2). # radtest -t mschap lisa taylor21. localhost 10 testing123 Sending Access-Request of id 110 to 127.0.0.1 port 1812 User-Name = "lisa" NAS-IP-Address = 10.101.69.2 NAS-Port = 10 MS-CHAP-Challenge = 0x5355f4fc60c8888a MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000009681672b365655d0592c3e4009547b9e11bc751b6e97943b rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=110, length=38 MS-CHAP-Error = "\000E=691 R=1" # univention-radius-ntlm-auth --request-nt-key --username=lisa --challenge=5355f4fc60c8888a --nt-response=9681672b365655d0592c3e4009547b9e11bc751b6e97943b --station-id=b4-52-7e-3e-1a-67 Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 81, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 73, in main if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response: File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 77, in ChallengeResponse Response = DesEncrypt(Challenge, ZPasswordHash[0:7]) File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 55, in DesEncrypt return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data) File "/usr/lib/pymodules/python2.6/univention/pyDes.py", line 400, in __init__ raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.") ValueError: Invalid DES key size. Key must be exactly 8 bytes long. Looks like DesEncrypt expandDesKey fails to return 8 byte string here.