Univention Bugzilla – Bug 38785
univention-radius-ntlm-auth breaks with certain passwords
Last modified: 2018-11-09 14:20:37 CET
Ticket#2015062521002132 univention-radius-ntlm-auth breaks with certain passwords used. Concrete example with user "lisa" and password "taylor21." (sambaNTPassword == 00563126F04F3875C417F789B00E72D2). # radtest -t mschap lisa taylor21. localhost 10 testing123 Sending Access-Request of id 110 to 127.0.0.1 port 1812 User-Name = "lisa" NAS-IP-Address = 10.101.69.2 NAS-Port = 10 MS-CHAP-Challenge = 0x5355f4fc60c8888a MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000009681672b365655d0592c3e4009547b9e11bc751b6e97943b rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=110, length=38 MS-CHAP-Error = "\000E=691 R=1" # univention-radius-ntlm-auth --request-nt-key --username=lisa --challenge=5355f4fc60c8888a --nt-response=9681672b365655d0592c3e4009547b9e11bc751b6e97943b --station-id=b4-52-7e-3e-1a-67 Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 81, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 73, in main if PasswordHash and pyMsChapV2.ChallengeResponse(options.Challenge, PasswordHash) == options.Response: File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 77, in ChallengeResponse Response = DesEncrypt(Challenge, ZPasswordHash[0:7]) File "/usr/lib/pymodules/python2.6/univention/pyMsChapV2.py", line 55, in DesEncrypt return pyDes.des(expandDesKey(key), pyDes.ECB).encrypt(data) File "/usr/lib/pymodules/python2.6/univention/pyDes.py", line 400, in __init__ raise ValueError("Invalid DES key size. Key must be exactly 8 bytes long.") ValueError: Invalid DES key size. Key must be exactly 8 bytes long. Looks like DesEncrypt expandDesKey fails to return 8 byte string here.
Created attachment 7152 [details] /usr/share/pyshared/univention/pyMsChapV2.py Here is a replacement for /usr/share/pyshared/univention/pyMsChapV2.py from univention-radius which uses a different method for expanding keys to 8 bit (stolen from univention-squid). Seems to work in my tests. Maybe even better we use passlib.utils.des, which is part of the debian package python-passlib (already maintained). This does the encryption and expansion and would be a replacement for the whole univention.pyDes stuff. import passlib.utils.des passlib.utils.des.des_encrypt_block(key, data)
Replaced univention.pyMsChapV2.DesEncrypt.expandDesKey() with convertKey() from univention-squid. Added some more tests. 4.0-3: r63424 4.1-0: r63427 Create Bug #39301 for replacing this with passlib.utils.des.des_encrypt_block(key, data) YAML: 2015-09-03-univention-radius.yaml
OK: automated test OK: manual test * install radius app, add user lisa, univention-radius-ntlm-auth → Traceback * upgrade to fixed version of univention-radius, univention-radius-ntlm-auth → OK OK: merge to 4.1 OK: YAML
<http://errata.software-univention.de/ucs/4.0/337.html>