Bug 48128

Summary: ucs-school-ntlm-auth breaks with certain passwords
Product: UCS@school Reporter: Michael Grandjean <grandjean>
Component: RadiusAssignee: Sönke Schwardt-Krummrich <schwardt>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 CC: michelsmidt, schwardt
Version: UCS@school 4.3   
Target Milestone: UCS@school 4.3 v6   
Hardware: Other   
OS: All   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=38785
What kind of report is it?: Bug Report What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Michael Grandjean univentionstaff 2018-11-09 14:19:52 CET 
This looks like the same problem as Bug #38785 but for ucs-school-radius-802.1x:

Using certain passwords causes a Traceback in "ucs-school-ntlm-auth" and thus prevents users from using the WLAN via RADIUS.

root@schule01ucs:~# univention-app info
UCS: 4.3-2 errata291
Installed: cups=2.2.1 dhcp-server=12.0 samba4=4.7 squid=3.5 ucsschool=4.3 v5
Upgradable:

ucs-school-radius-802.1x -> 7.0.0-8A~4.3.0.201804111426


1. Create a student (e.g. using the UCS@school "Benutzer (Schulen)" wizard) with a certain password
2. Stop freeradius.service on the schoolserver and start it in debug mode: "freeradius -X"
3. Check RADIUS/MSCHAP authentication on the school server via:
$ radtest -t mschap $USERNAME "$PASSWORD" localhost 0 testing123
4. Check the debug output of "freeradius -X" - it should show this Traceback:

> Traceback (most recent call last):
>   File "/usr/bin/ucs-school-ntlm-auth", line 180, in <module>
>     sys.exit(main())
>   File "/usr/bin/ucs-school-ntlm-auth", line 167, in main
>     if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response:
>   File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 84, in ChallengeResponse
>     Response = DesEncrypt(Challenge, ZPasswordHash[0:7])
>   File "/usr/lib/pymodules/python2.7/univention/pyMsChapV2.py", line 57, in DesEncrypt
>     return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data)
>   File "/usr/lib/pymodules/python2.7/univention/pyDes.py", line 400, in __init__
>     raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.")
> ValueError: Invalid DES key size. Key must be exactly 8 bytes long.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-11-09 16:16:46 CET 
(In reply to Michael Grandjean from comment #0)
> This looks like the same problem as Bug #38785 but for
> ucs-school-radius-802.1x:

Unfortunately is IS the same problem :-(
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-11-09 16:37:40 CET 
# univention-ldapsearch uid=anton9 sambaNTPassword -LLL
dn: uid=anton9,cn=schueler,cn=users,ou=gsmitte,dc=nstx,dc=local
sambaNTPassword: 00563126F04F3875C417F789B00E72D2

00563126F04F3875C417F789B00E72D2 → "taylor21."

As in the original bug mentioned the following commands will produce a traceback:

console1# service freeradius stop
console1# freeradius -X
console2# radtest -t mschap anton9 "taylor21." localhost 0 testing123
→ traceback in console1 → reject in console2

Please keep in mind, that the correct internet rule has to be applied to the users class group, otherwise RADIUS will also reject the user after the bug has been fixed (but without traceback).

b57ff8185 Bug #48128: update advisory
0d611c888 Bug #48128: add advisory
566fd4181 Bug #48128: added changelog entry
df2a0a4a3 Bug #48128: fixed key expansion for des encryption in pyMsChapV2.py

Package: ucs-school-radius-802.1x
Version: 7.0.1-2A~4.3.0.201811091632
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 5 Jürn Brodersen univentionstaff 2018-11-12 09:39:17 CET 
Bug fixed: OK
Tests: OK
YAML: OK
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-11-16 11:48:18 CET 
UCS@school 4.3 v6 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.3v6-de.html

If this error occurs again, please clone this bug.