Server doesn't reply to the client

[PigossiJr]

Hello friend, how are u?

I am working hard in a solution to authenticate some users using pyrad, but I got some issues that I would like to share with you.

Basically, I created a virtual networking using mininet and there are just 2 hosts, like bellow:

h1 -> 10.0.0.1 (that's my pyrad server host) - Server
h2 -> 10.0.0.2 (that's the host which I am trying to authenticate in h1) - Client

1) First issue - I got an error related to UTF-8 in the the "PwDecrypt" function

In the client side, my password is just: 123. When I send an authentication request, the password is crypted and sent to the server (h1). I know that I need to decrypt the password received in the server side, but when I try to implement the function "PwDecrypt", I got a lot of errors related to UTF-8 encoding.

I tried to implement some functions, such as "password_dec = (pkt.PwDecrypt(pkt[2][0])).decode('latin-1').encode("utf-8")", to correct the mismatch but anything has solved my problem.

Printscreens:

**2) Second issue - My server side doesn't reply to the client host **

I really don't know what I did wrong, but, it's possible to receive the authentication request from the client host in the server side, but when I need to answer if the authentication is accepted or not, my client host doesn't receive anything.

I am attaching my server and client code here. Can you please help me ?

pyrad.zip

Thank you in advance.

Cheers.

[rbricheno]

First off, don't worry, the unicode decoding you are seeing is not because you are attempting to decrypt the password wrong. Your first guess of:

password = pkt.PwDecrypt(pkt[2][0])

is correct. Your program is failing for another reason :-)

At line 8 in pyrad_cli.py you have:

srv=Client(server="10.0.0.1", secret="s3cr3t", dict=Dictionary("/usr/share/freeradius/dictionary.rfc2865"))

At line 100 in pyrad_srv.py you have:

srv.hosts["10.0.0.2"] = server.RemoteHost("10.0.0.2", "passied2", "ied2")

That isn't right, the shared secrets must match. You either need to put "s3cr3t" in both places, or "passied2" in both places.

If the shared secrets do not match, and you do not try to decode the password (as in your example zip), the server is not checking the shared secret used to encrypt the password, it is just sending its 'Ok!' response right away. The client will timeout (as you observed). That's because the client cannot verify the replies, because the shared secret used for the response from the server doesn't match what is on the client.

If the shared secrets do not match, and you try and decode the password, then you will receive the unicode error you mentioned, because the shared secret was used to encode the packet on the client side. So trying to decode it with a different shared secret on the server results in garbage.

If the shared secrets do match, then you will receive accept/reject, and the password can be decrypted as normal.

So, how to deal with the garbage when trying to decrypt a password with a bad shared secret? A simple way would be to replace

password = pkt.PwDecrypt(pkt[2][0])

with:

try:
    password = pkt.PwDecrypt(pkt[2][0])
except UnicodeDecodeError:
    print("DEBUG - Bad shared secret")
    raise ServerPacketError("Bad shared secret")

in pyrad_srv.py.