PMF

Bug #1827757 reported by kolya on 2019-05-05
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
wpa (Ubuntu)
Undecided
Unassigned

Bug Description

WPA Supplicant packaged with Ubuntu doesn't support PMF. PMF support has been available in wpa supplicant for about 3 years now and in couple of major releases. PMF is a security feature and should be supported (at least at the level when it needs to be manually enabled).

Thanks!

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: wpasupplicant 2:2.6-21ubuntu3
ProcVersionSignature: Ubuntu 5.0.0-13.14-generic 5.0.6
Uname: Linux 5.0.0-13-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
CurrentDesktop: MATE
Date: Sat May 4 23:55:42 2019
InstallationDate: Installed on 2016-02-20 (1169 days ago)
InstallationMedia: Ubuntu-MATE 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: wpa
UpgradeStatus: Upgraded to disco on 2019-05-02 (2 days ago)

kolya (mar-kolya) wrote :
intel (dts-dreamer) wrote :

Can confirm that this problem still exist on the latest LTS release.

I tested connecting to enterprise network with enabled and required PMF ( Protected Management Frames / Management Protected Frames or 802.11w ) on Ubuntu 18.04.3 LTS (with all updates) - all attempts failed, when the PMF was set to `Required` on the AP side.
I also tested with my home setup: TP-Link AP ( OpenWrt 18.06.5 ) and 802.11w set to `Required` in the `Wireless Security` section.

The current wpasupplicant version for 18.04 is 2:2.6-15ubuntu2.5
When the Network Manager tries to connect to the AP, it fails because the activation takes too long.
I tested the Ubuntu 19.10 Eoan release and it seems that the wpasupplicant is able to connect to APs with Required PMF option.

I found a workaround for Ubuntu 18.04 Bionic, but it is a bit "hacky/risky" - basically force upgraded the wpasupplicant and all deps with the packages from Ubuntu 19.10 Eoan. The dependency packages can be downloaded from https://packages.ubuntu.com

Package versions:

libnl-3-200_3.4.0-1_amd64.deb
libnl-route-3-200_3.4.0-1_amd64.deb
locales_2.30-0ubuntu2_all.deb
libc-bin_2.30-0ubuntu2_amd64.deb
libc6_2.30-0ubuntu2_amd64.deb
libc6_2.30-0ubuntu2_i386.deb
libtinfo6_6.1+20190803-1ubuntu1_amd64.deb
libreadline8_8.0-3_amd64.deb
wpasupplicant_2.9-1ubuntu2_amd64.deb

NOTE: force upgrade this packages only if you are sure that they will not break your existing apps.
If you are stuck with the LTS version, but you want the be able to connect to APs with mandatory PMF until this issue is resolved, you can try the workaround on your own risk (future LTS updates could break this setup).

tags: added: 802.11w bionic pmf wpasupplicant
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wpa (Ubuntu):
status: New → Confirmed
intel (dts-dreamer) wrote :

Tests were performed with Intel Dual Band Wireless-AC 7265 card.

intel (dts-dreamer) wrote :

A better workaround solution to this problem is the systemd wpa_supplicant.service override.
This is better than messing with broken packages and versions.

Here is my systemd override.conf (you can apply it with `systemctl edit wpa_supplicant`):

[Service]
Environment="LD_PRELOAD=/path_to_wpa_bundle_dir/libm.so.6"
ExecStart=
ExecStart=/path_to_wpa_bundle_dir/wpa_supplicant -u -s -O /run/wpa_supplicant

<path_to_wpa_bundle_dir> is just a custom folder that consists of wpa_supplicant binary from package wpasupplicant_2.9-1ubuntu2_amd64.deb + libm-2.30.so from package libc6_2.30-0ubuntu2_amd64.deb and libm.so.6 which is a symlink to the libm-2.30.so in the same folder.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers