cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809)

From: Tomasz Wolniewicz <twoln AT umk.pl>
To: cat-users AT lists.geant.org
Subject: Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809)
Date: Sun, 6 Oct 2019 16:55:38 +0200
Autocrypt: addr=twoln AT umk.pl; prefer-encrypt=mutual; keydata= mQENBEvhYBEBCADIlSk8hnUtSfZ1hLbuqiUxTiBtm65lM6OlxjYnWEsH/boOsVS/WdFZebwK 53eg280UcX9VDjFjy5rimsknCvxabnxk13AF//t9mN9tq5MmIkIcRIpLrtqc8Q0s0E84cNzB bDMtRzAd7JUTmKyAnkKE9i2R9FJKzeR9TTeKtBdgXHtUKPHPGOdxUUv8UWKxsj9AYi2CgN98 jiWLx6lTIpaWegWxIyih7WUKSf43Bpi6wFxhfOxteLyQUpIlGg4CasTVGpFsha8KzlupXOLG Tl3hXtQFWvE0tl1GidvTyuQlOzsZ1vjTNEzI25VTkOIgP4IYcWSkP74p/a239ZcTOHhZABEB AAG0IFRvbWFzeiBXb2xuaWV3aWN6IDx0d29sbkB1bWsucGw+iQE4BBMBAgAiBQJL4WARAhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA8PEwxkb+lPgkeB/9NAGlmopLel6EEDFz2 ra3KLBx8kXT3G1K/YYyrjDwNjCkAmm0evzQx8g9vPX2OzvE6Ai2Xi9hPd2K/ShPFPcgJzzjr h9H1XYfBb2N/tRwN9tb4XO5i9Tsa4jP+SG8h2yQY57QOeFy16joDmIZiZrAEIGpqqSV24PrX FSo2d1E4dMswqDXlEYk9hwbdW9H4zOQrnDZeRlRx/RW/cmWTd8r5C12dKhlT/D/fBkL3eYT7 rnjHtS+ArnMUsxu2Z/q6bmxqRyv4Vn4pR0n699iLa0ol2hWeQJFaZyTA7JksW8zWu/Zasd9K Dw3jM59vs/SXVdG8pMexAzH5jmEEAgwYwUbVuQENBEvhYBEBCACgAz/z7VTnCsPSBUrjCLyS j+eRtr2tQzSU48Qa5hOcIxAKQJQNgOOqs0Mq9fT9lV+OttaYyKtijt1+G2dVMETVFkdZmM0c g8pVJp398993v89U/iwjfvNoqCM/9z312Poha/oL/EOk+gWYxZbyQ18SY69va2WHr6Pl3bzR 6BQpb86W85MreQ2lxd76b6BgjOXA/b39YyU/fMeFQd+wDpT3K1fUr89dYRnyzQIxTBSPOMLQ ShHKc/S8dStbNlLNcnaiyBOsH4A7b6IizQGqyVHBeL7u05X0/ZVdEIgsO3NmQouqY0/WjBdV qg4EsI1VvvgwXKWafP1MryLy4ZcnNjQZABEBAAGJAR8EGAECAAkFAkvhYBECGwwACgkQPDxM MZG/pT6lUQf8DC3i15okq3VycbpTYuH6f1lQkqanMS0z4z8F6xtCeXq0DBFk0ZzAU/mCwc3V PdUVGtRKGjouSAB1HDeTvAth1vY0oOJG3kXBwkcui3QxM3sxksNCRLLwcZVnsK9rt6UVp5aG qBwKf44BSApGyHNuKDhCfMCQHueqlfhJYfXocw6KDObvTkwygHLmw93ohV66v26yNvGo6+q2 qTDykGyuicACPDTyJTWFh2IwwZFAdzcc7St8aKkXFk0zWvoriWHeTLUnuFw7HN640IJkG74a 4NGco2yPc7Cz6q59rgE9xydOOXRdmnfiuJu0kQvQocD1rVLjW3qXdnxPd2/FhO4vWg==
Openpgp: preference=signencrypt

Hi,

I'm afraid I do not get your point here. Are you saying that the CAT Windows 10 installer does not set user data correctly or that you would like to use WLANSetEAPUserData by some other way?

CAT does not encrypt user password during the installation step, we create the PEAP credentials file install it with WLANSetEAPUserData and delete it. The credentials file is there for a short moment which did not seem a security threat.

Yours

Tomasz Wolniewicz

W dniu 04.10.2019 o 13:58, Mattias Baake pisze:

Hi,

I have a problem setting the credentials automatically by the installer (and as deployment). If the creds would be set by the included "WLANSetEAPUserDatax64.exe" it don't work under Windows 10 (1809) - under Windows 7 its all fine. If I add the credentials manually it works, too.

I have decrypted the MSMUserData for manually and automatically set credentials and got the following result:

manually: MSMUserData contains the password as encrypted blob (need to be decrypted in a second step) - only the username is readable in this step (like under windows 7)
automatically: MSMUserData is much smaller than the manually one and the password is readably in this first step

The script I have used to decrypt the MSMUserData (Decrypt-MSMUserData):

param(
    [String]$Path = ".\eap.blob",
    [Switch]$EapExtractMode
)

function main() {
    Load-ProtectedDataApi
    cd C:\UB\
    whoami
    $b = gc $Path -Encoding Byte

    $datetime = (Get-Date -Format s) -replace ":","-"

    $bdec = [System.Security.Cryptography.ProtectedData]::Unprotect($b,$null,'Localmachine')
    [System.Environment]::CurrentDirectory = Get-Location
    [System.IO.File]::WriteAllBytes(('eap-dec-{0}.blob' -f $datetime), $bdec)

}

function Load-ProtectedDataApi() {
    try {
        $null = [System.Security.Cryptography.ProtectedData]
    } catch {
        Write-Verbose 'Adding assemly: System.Security'
        Add-Type -AssemblyName 'System.Security'
        $null = [System.Security.Cryptography.ProtectedData]
        $Error.Clear()
    }
}

function GetEAPBytes() {
    $RegBase = "Registry::HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles"
    $profiles = @{}
    ls $RegBase | % -Begin {$i = 0} {$i++; $profiles[$i] = $_.Name; Write-host $("[{0:d2}] {1}" -f $i,$_.Name)}
    $choice = Read-Host -Prompt "Choice"
    $profile = "$profiles[[int]$choice]"
    $MSMUserData = (Get-ItemProperty -Path "Registry::$profile").MSMUserData
    return $MSMUserData
}

if (!$EapExtractMode) {
    main
    return
}
$eapBytes = GetEAPBytes
$datetime = (Get-Date -Format s) -replace ":","-"
[System.Environment]::CurrentDirectory = Get-Location
[System.IO.File]::WriteAllBytes(('eap-{0}.blob' -f $datetime), $eapBytes)

Call as User:

.\Decrypt-MSMUserData -EapExtractMode

Call from a console of user SYSTEM (created by psexec -s -i powershell.exe):

.\Decrypt-MSMUserData -Path eap-<DATETIME>.blob
# READ eap-dec-<DATETIME>.blob

Mit freundlichen Grüßen

Mattias Baake

-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uniwersteckie Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME

[[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Mattias Baake, 10/04/2019
- Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Tomasz Wolniewicz, 10/06/2019
  - Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Martin Pauly, 10/06/2019
- Re: [[cat-users]] Set credentials by installer won't work under Windows 10 (1809), Tomasz Wolniewicz, 10/07/2019