[SRU] No EAP-PEAP support anymore
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
High
|
Lucas Kanashiro | ||
Focal |
Fix Released
|
High
|
Lucas Kanashiro |
Bug Description
[Impact]
Some libcharon EAP plugins were removed since version 5.8.0-2 by the Debian maintainer in order to keep only the essential plugins, reducing the complexity. So users upgrading from Bionic (5.6.2-1ubuntu2.5) to Focal (5.8.2-1ubuntu3) will find some missing plugins. The problem is that many users rely on some of the removed plugins, and it might be considered as a regression for them when upgrading to Focal.
After a nice explanation from Tobias (upstream maintainer) on comment #4 of this bug we decided to enable again 2 of those removed plugins, they are: eap-dynamic and eap-peap. In short, the eap-dynamic plugin allows clients to select an alternative EAP method when the chosen one is not available; and the eap-peap is still widely used mainly because it is what Microsoft implements (not just it but most of the clients support it), EAP-PEAP is often used in conjunction with EAP-MSCHAPv2 to authenticate in Wifi networks for instance and use it for VPNs allows users to reuse the existent infrastructure.
And to avoid any confusion we are also removing the configuration files from the other plugins removed since 5.8.0-2. They are not used anymore but they are still there.
[Test Case]
$ lxc launch ubuntu-daily:bionic strongswan-sru
$ lxc shell strongswan-sru
$ apt update && apt upgrade -y
$ apt install strongswan libcharon-
$ dpkg -L libcharon-
/etc/strongswan
/usr/lib/
/usr/share/
$ dpkg -L libcharon-
/etc/strongswan
/usr/lib/
/usr/share/
# Upgrade to Focal
$ do-release-upgrade
# Note the conf file was not removed by the upgrade even after the plugin was disabled
$ dpkg -L libcharon-
/etc/strongswan
# Note the conf file was not removed by the upgrade even after the plugin was disabled
$ dpkg -L libcharon-
/etc/strongswan
# If you check for all the EAP plugins in libcharon-
$ dpkg -L libcharon-
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
/etc/strongswan
[Regression Potential]
The proposed changes affects the libcharon-
[Original Description]
Hello,
As title says. Looks like the eap-peap plugin is not contained in libcharon-
anymore.
Ubuntu 18.04 has one, but Ubuntu 20.04 not.
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 1934 lines (+1689/-3)6 files modifieddebian/changelog (+1661/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
- Christian Ehrhardt : Pending requested
- Canonical Server: Pending requested
-
Diff: 529 lines (+411/-2) (has conflicts)9 files modifieddebian/changelog (+19/-0)
debian/control (+61/-2)
debian/libcharon-extra-plugins.maintscript (+11/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
- Lucas Kanashiro (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 1868 lines (+1630/-3)6 files modifieddebian/changelog (+1602/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
- Christian Ehrhardt (community): Approve
- Lucas Kanashiro (community): Abstain
- Canonical Server: Pending requested
-
Diff: 469 lines (+358/-0)11 files modifieddebian/changelog (+19/-0)
debian/control (+3/-0)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
debian/rules (+2/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 107 lines (+34/-0)5 files modifieddebian/changelog (+15/-0)
debian/control (+3/-0)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/rules (+2/-0)
Changed in strongswan (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in strongswan (Ubuntu Focal): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
Changed in strongswan (Ubuntu): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
Changed in strongswan (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in strongswan (Ubuntu): | |
importance: | Undecided → High |
Changed in strongswan (Ubuntu Focal): | |
status: | Confirmed → In Progress |
Changed in strongswan (Ubuntu): | |
status: | Confirmed → In Progress |
tags: | added: verification-done verification-done-focal |
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
I confirm the EAP-PEAP plugin is missing, check below.
Bionic:
$ dpkg -c libcharon- extra-plugins_ 5.6.2-1ubuntu2. 5_amd64. deb | grep eap-peap n.d/charon/ eap-peap. conf ipsec/plugins/ libstrongswan- eap-peap. so strongswan/ templates/ config/ plugins/ eap-peap. conf
-rw-r--r-- root/root 777 2019-11-12 08:32 ./etc/strongswa
-rw-r--r-- root/root 18616 2019-11-12 08:32 ./usr/lib/
-rw-r--r-- root/root 777 2019-11-12 08:32 ./usr/share/
Focal:
$ dpkg -c libcharon- extra-plugins_ 5.8.2-1ubuntu3_ amd64.deb | grep eap-peap
The plugin is also not present in Debian unstable:
$ dpkg -c libcharon- extra-plugins_ 5.8.4-1_ amd64.deb | grep eap-peap