Netplan

broken generation of wpa config for hashed passwords

Bug #1819831 reported by Cullen Jennings
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Netplan
Fix Released
Medium
Unassigned
netplan.io (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
netplan users configuring a wireless connection; who would like to use password hashes for the password (ie. they might not know the real password, etc.)

[Test case]
Write configuration for netplan wireless interface:

network:
  version: 2
  wifis:
    wlan0:
      access-points:
        MyAccessPoint:
          password: hash:83d…0b11

Verify that the wireless network can be succesfully connected to.

[Regression Potential]
This has a minimal risk of regression. Passwords do not typically include "hash:" as first characters, and if so may be escaped via quoting. This does not otherwise affect any other feature of netplan, and is limited to allowing users to use the commonly accepted format of hashed passwords to pass to the renderer, for connecting to wifi.

---

Have a look at the netplan.io config file at https://gist.github.com/fluffy/e2a202a0816299d519dabf7bbed2f7bb for 802.1 auth for a wired network.

This will generate a wpa config file at /run/netplan/wpa-enp4s0.conf that has

password="hash:83d…0b11"

However, this is not correct. It should not have the quotes and should look like

password=hash:83d…0b11

The quotes cause the wpa_suppicant to not detect this is a hashed password and instead think it is a normal password that starts with hash:

This is an important bug because at Cisco we can not store our passwords unhashed on disk and our production network requires 802.1x auth. I think this is simple to fix and I'm glad to send a PR or any other information that helps fix it.

Thank you for looking at this, Cullen

See original description
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Sound simple and straightforward. I was not aware that such shorthand was possible (in fact, it doesn't seem to be documented in the manpage?)

Marking Triaged / Medium; this should really be quite the simple fix to special-case when the password starts with "hash:".

Changed in netplan:
status: New → Triaged
importance: Undecided → Medium
Changed in netplan.io (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: bitesize
Revision history for this message
Cullen Jennings (cfluffy) wrote :

There is a PR for it at https://github.com/CanonicalLtd/netplan/pull/79/files - glad to fix up this PR for code coverage and whatever else it needs if it is likely to be merged

Francis Ginther (fginther)
tags: added: id-5d14ed4981f5ba74a04b0aa9
Steve Langasek (vorlon)
summary: - broken genration of wpa config for hashed passwords
+ broken generation of wpa config for hashed passwords
Mathieu Trudel-Lapierre (cyphermox)
Changed in netplan:
status: Triaged → Fix Released
Changed in netplan.io (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.98-0ubuntu1

---------------
netplan.io (0.98-0ubuntu1) eoan; urgency=medium

  * New upstream release: 0.98 (LP: #1840832)
    - Added new "feature flags" to identify new features
    - Added support for "use-domains" for DHCP overrides
    - Added support for setting IPv6 MTU Bytes (LP: #1671951)
    - Added a DBus interface to query and run 'netplan apply' via other apps
    - Various build system fixes
    - Improved validation for bonding modes
    - Added support for "hash:" for hashed 802.1x passwords (LP: #1819831)
    - Tolerate devices without a /sys path (LP: #1810043)
    - Fix incorrect separator for networkd with ARP IP targets (LP: #1829264)
  * debian/control: Add Build-Depends on libsystemd-dev for DBus feature, and
    on dbus-x11 for dbus-launch used in tests.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 21 Aug 2019 14:49:16 -0400

Changed in netplan.io (Ubuntu):
status: In Progress → Fix Released
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Cullen, or anyone else affected,

Accepted netplan.io into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.98-0ubuntu1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on disco:

ubuntu@oddish:~$ lsb_release -cs
disco
ubuntu@oddish:~$ cat /etc/netplan/01-network-manager-all.yaml
# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: networkd
  wifis:
    wlp58s0:
      access-points:
        cyphermox.net:
          password: hash:[redacted]
      dhcp4: yes

ubuntu@oddish:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: wlp58s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 44:85:00:1d:8f:df brd ff:ff:ff:ff:ff:ff
    inet 10.3.1.243/22 brd 10.3.3.255 scope global dynamic wlp58s0
       valid_lft 14345sec preferred_lft 14345sec

tags: added: verification-done-disco
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on bionic:

ubuntu@ubuntu-XPS-15-9570:~$ lsb_release -cs
bionic
ubuntu@ubuntu-XPS-15-9570:~$ cat /etc/netplan/01-network-manager-all.yaml
# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: networkd
  wifis:
    wlp59s0:
      access-points:
        cyphermox-secure:
          auth:
            key-management: eap
            method: peap
            identity: [redacted]
            password: hash:[redacted]
      dhcp4: yes
ubuntu@ubuntu-XPS-15-9570:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: wlp59s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:b6:d0:bc:7e:e5 brd ff:ff:ff:ff:ff:ff
    inet 10.3.1.195/22 brd 10.3.3.255 scope global dynamic wlp59s0
       valid_lft 14372sec preferred_lft 14372sec
    inet6 fe80::9eb6:d0ff:febc:7ee5/64 scope link
       valid_lft forever preferred_lft forever

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Brian Murray (brian-murray)
Changed in netplan.io (Ubuntu Disco):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.98-0ubuntu1~19.04.1

---------------
netplan.io (0.98-0ubuntu1~19.04.1) disco; urgency=medium

  * Backport netplan.io 0.98 to 19.04. (LP: #1840832)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 26 Aug 2019 16:41:36 -0400

Changed in netplan.io (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.98-0ubuntu1~18.04.1

---------------
netplan.io (0.98-0ubuntu1~18.04.1) bionic; urgency=medium

  * Backport netplan.io 0.98 to 18.04. (LP: #1840832)
  * Keep patches specific to 18.04 support:
    - disable-networkd-tunnels-ipip-gre.patch: disable tests for unsupported
      tunnel types (ipip and gre) in the 18.04 version of systemd-networkd.
  * Drop debian/patches/glib_changes.patch: No longer necessary, changes were
    made upstream to better account for the changes in HashTable.
  * debian/netplan.io.install: add /usr/share/dbus-1

netplan.io (0.98-0ubuntu1) eoan; urgency=medium

  * New upstream release: 0.98 (LP: #1840832)
    - Added new "feature flags" to identify new features
    - Added support for "use-domains" for DHCP overrides
    - Added support for setting IPv6 MTU Bytes (LP: #1671951)
    - Added a DBus interface to query and run 'netplan apply' via other apps
    - Various build system fixes
    - Improved validation for bonding modes
    - Added support for "hash:" for hashed 802.1x passwords (LP: #1819831)
    - Tolerate devices without a /sys path (LP: #1810043)
    - Fix incorrect separator for networkd with ARP IP targets (LP: #1829264)
  * debian/control: Add Build-Depends on libsystemd-dev for DBus feature, and
    on dbus-x11 for dbus-launch used in tests.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 26 Aug 2019 16:36:03 -0400

Changed in netplan.io (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for netplan.io has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.