[SRU] Connect to WPA3 failed - Secrets were required, but not provided

Bug #1975576 reported by Lukas Märdian
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netplan.io (Ubuntu)
Status tracked in Kinetic
Focal
Fix Released
Medium
Unassigned
Impish
Won't Fix
Undecided
Unassigned
Jammy
Fix Released
Medium
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
 * using network-manager (20/stable - 711 + netplan backend) and try to connect to router with WPA3 Security fails via "nmcli"
 * error message: "Error: Connection activation failed: (7) Secrets were required, but not provided."
 * related to a problem with the generation of the netplan configuration, when key management is "sae"
 * This breaks a customer setup in Ubuntu Core 20
 * The upstream fix solves the issue, by avoiding a shortcut in libnetplan's NetworkManager/keyfile renderer: https://github.com/canonical/netplan/pull/279

[Test Plan]
 * Use a system with NetworkManager+netplan integration installed (e.g. Ubuntu Core, network-manager snap)
 * Create a WPA3 connection via "nmcli":
$ sudo nmcli c add con-name test3 type wifi ssid ubuntu-wpa2-wpa3-mixed ifname wlan0
Connection 'test3' (a89c5eb9-c5a4-426e-ae86-7fca5161cfcc) successfully added.
$ sudo nmcli c modify test3 wifi-sec.key-mgmt sae wifi-sec.psk test1234

 * Make sure it contains the psk/credentials ("test1234") and "key-mgmt: sae":
$ nmcli c show test3 --show-secrets | egrep "wireless-security.(key-mgmt|psk)"
802-11-wireless-security.key-mgmt: sae
802-11-wireless-security.psk: test1234
802-11-wireless-security.psk-flags: 0 (none)

 * Make sure the netplan YAML contains "networkmanager.passthrough.key-mgmt: sae" and "auth.password: test1234":
$ netplan get | grep password
$ netplan get | grep key-mgmt

[Where problems could occur]
 * The upload changes netplan's NetworkManager (keyfile) backend renderer. So any unexpected failure could break configuration of NetworkManager connection profiles via netplan.

[Other Info]
 * upstream fix: https://github.com/canonical/netplan/pull/279
 * shipped as a hotfix in ppa:canonical-foundations/ubuntu-image: https://launchpad.net/~canonical-foundations/+archive/ubuntu/ubuntu-image/+sourcepub/13638052/+listing-archive-extra
 * related to private bug, LP: #1972800

Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

It only affects the NetworkManager netplan integration in Ubuntu Core. So is only needed in LTS releases.

Fixed in Kinetic: https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu4

description: updated
Changed in netplan.io (Ubuntu Impish):
status: New → Won't Fix
Changed in netplan.io (Ubuntu Kinetic):
status: New → Fix Released
Revision history for this message
Lukas Märdian (slyon) wrote :
Lukas Märdian (slyon)
Changed in netplan.io (Ubuntu Focal):
status: New → Triaged
importance: Undecided → Medium
Changed in netplan.io (Ubuntu Jammy):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Lukas, or anyone else affected,

Accepted netplan.io into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Jammy):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Lukas, or anyone else affected,

Accepted netplan.io into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/netplan.io/0.104-0ubuntu2~20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in netplan.io (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (netplan.io/0.104-0ubuntu2.1)

All autopkgtests for the newly accepted netplan.io (0.104-0ubuntu2.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

netplan.io/0.104-0ubuntu2.1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#netplan.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (netplan.io/0.104-0ubuntu2~20.04.2)

All autopkgtests for the newly accepted netplan.io (0.104-0ubuntu2~20.04.2) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

initramfs-tools/unknown (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#netplan.io

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Lukas Märdian (slyon) wrote :

I've tested netplan.io 0.104-0ubuntu2~20.04.2 from focal-proposed. The test plan passed.

root@ff-nm:/x# apt list *netplan*
Listing... Done
libnetplan-dev/now 0.104-0ubuntu2~20.04.2 amd64 [installed,local]
libnetplan0/now 0.104-0ubuntu2~20.04.2 amd64 [installed,local]
netplan.io/now 0.104-0ubuntu2~20.04.2 amd64 [installed,local]

root@ff-nm:/x# sudo nmcli c add con-name test3 type wifi ssid ubuntu-wpa2-wpa3-mixed ifname wlan0
Connection 'test3' (a97b1974-3a53-49c6-87e7-84cf692d7f5c) successfully added.

root@ff-nm:/x# sudo nmcli c modify test3 wifi-sec.key-mgmt sae wifi-sec.psk test1234

root@ff-nm:/x# nmcli c show test3 --show-secrets | egrep "wireless-security.(key-mgmt|psk)"
802-11-wireless-security.key-mgmt: sae
802-11-wireless-security.psk: test1234
802-11-wireless-security.psk-flags: 0 (none)

root@ff-nm:/x# netplan get | grep password
            password: "test1234"
root@ff-nm:/x# netplan get | grep key-mgmt
              wifi-security.key-mgmt: "sae"

root@ff-nm:/x# netplan get wifis.NM-a97b1974-3a53-49c6-87e7-84cf692d7f5c
renderer: NetworkManager
match:
  name: "wlan0"
dhcp4: true
dhcp6: true
ipv6-address-generation: "stable-privacy"
access-points:
  "ubuntu-wpa2-wpa3-mixed":
    auth:
      key-management: "none"
      password: "test1234"
    networkmanager:
      uuid: "a97b1974-3a53-49c6-87e7-84cf692d7f5c"
      name: "test3"
      passthrough:
        connection.permissions: ""
        wifi.mac-address-blacklist: ""
        wifi-security.key-mgmt: "sae"
        ipv4.dns-search: ""
        ipv6.dns-search: ""
        ipv6.ip6-privacy: "-1"
        proxy._: ""
networkmanager:
  uuid: "a97b1974-3a53-49c6-87e7-84cf692d7f5c"
  name: "test3"

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Lukas Märdian (slyon) wrote :

I've tested netplan.io 0.104-0ubuntu2.1 from jammy-proposed. The test plan passed.

root@jj-nm:/x# apt list *netplan*
Listing... Done
libnetplan-dev/now 0.104-0ubuntu2.1 amd64 [installed,local]
libnetplan0/now 0.104-0ubuntu2.1 amd64 [installed,local]
netplan.io/now 0.104-0ubuntu2.1 amd64 [installed,local]

root@jj-nm:/x# nmcli c add con-name test3 type wifi ssid ubuntu-wpa2-wpa3-mixed ifname wlan0
Connection 'test3' (e973b67a-0f61-46f2-aa57-47f7a6b6f3a9) successfully added.

root@jj-nm:/x# nmcli c modify test3 wifi-sec.key-mgmt sae wifi-sec.psk test1234
root@jj-nm:/x# nmcli c show test3 --show-secrets | egrep "wireless-security.(key-mgmt|psk)"
802-11-wireless-security.key-mgmt: sae
802-11-wireless-security.psk: test1234
802-11-wireless-security.psk-flags: 0 (none)

root@jj-nm:/x# netplan get | grep password
            password: "test1234"
root@jj-nm:/x# netplan get | grep key-mgmt
              wifi-security.key-mgmt: "sae"

root@jj-nm:/x# netplan get wifis.NM-e973b67a-0f61-46f2-aa57-47f7a6b6f3a9
renderer: NetworkManager
match:
  name: "wlan0"
dhcp4: true
dhcp6: true
ipv6-address-generation: "stable-privacy"
access-points:
  "ubuntu-wpa2-wpa3-mixed":
    auth:
      key-management: "none"
      password: "test1234"
    networkmanager:
      uuid: "e973b67a-0f61-46f2-aa57-47f7a6b6f3a9"
      name: "test3"
      passthrough:
        wifi-security.key-mgmt: "sae"
        ipv6.ip6-privacy: "-1"
        proxy._: ""
networkmanager:
  uuid: "e973b67a-0f61-46f2-aa57-47f7a6b6f3a9"
  name: "test3"

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.104-0ubuntu2.1

---------------
netplan.io (0.104-0ubuntu2.1) jammy; urgency=medium

  * Cherry-pick fix for rendering WPA3 password (8934a1b), LP: #1975576
    + d/p/0010-nm-fix-rendering-of-password-for-unknown-passthrough.patch
  * Backport offloading tristate patches (LP: #1956264)
    + d/p/0003-Add-tristate-type-for-offload-options-LP-1956264-270.patch
    + d/p/0004-tests-ethernets-fix-autopkgtest-with-alternating-def.patch
    + d/t/control: add 'ethtool' test-dep for link offloading tests

 -- Lukas Märdian <email address hidden> Wed, 29 Jun 2022 17:54:23 +0200

Changed in netplan.io (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for netplan.io has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netplan.io - 0.104-0ubuntu2~20.04.2

---------------
netplan.io (0.104-0ubuntu2~20.04.2) focal; urgency=medium

  * Cherry pick d/p/dbus-Remove-the-upper-limit-on-try-timeout.patch
    (LP: #1967084)
  * Cherry-pick fix for rendering WPA3 password (8934a1b), LP: #1975576
    + d/p/0010-nm-fix-rendering-of-password-for-unknown-passthrough.patch
  * Backport offloading tristate patches (LP: #1956264)
    + d/p/0003-Add-tristate-type-for-offload-options-LP-1956264-270.patch
    + d/p/0004-tests-ethernets-fix-autopkgtest-with-alternating-def.patch
    + d/t/control: add 'ethtool' test-dep for link offloading tests

 -- Lukas Märdian <email address hidden> Wed, 29 Jun 2022 17:54:23 +0200

Changed in netplan.io (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers