Activesync session password

tarantir 2017-12-02 13:58:01 UTC #1

Hello, I have finally diagnosed an error that was plaguing my egw instance for some time. I have replicated the issue in both 16.1 and 17.1.

I have stepped through multiple iterations of deleting the activesync profile on the mobile device (multiple) and in egw as well as recreating activesync profiles and updating passwords.

Based on my diagnosis it would seem if an account has multiple mail identities defined the below errors appear. After removing all but the standard identity, the issue is resolved.

Apache Error Log
[:error] [pid 14396] [client] EGroupware\Api\Mail\Account::get_default1546 Error no Default available.No session password available!

Esync Log
[ERROR] [XXXXXXXXXXXX] AlterPingChanges() Error happend in mail No session password available! blocking for 1920 seconds for Instance=example.com, User=XXXXXXXXXXXX, Device:xxxxxxxxxxxx

egw-esync-error.txt (2.9 KB)

I’m happy to test, now that I know how to replicate.

Kind Regards,
Randy

Nochmal Activesync

Beliebig-2 2017-12-02 17:16:26 UTC #2

Had/Have the same problem for a while, posted already on that list, but no luck till now and no time to search the reason, so ty for this hint.

Rgds

tarantir 2017-12-02 20:51:28 UTC #3

OK, thank you for the reply. I guess it’s good to know my instance is not the only one with this symptom.

For what it is worth, before I identified the issue, the work around for 16.1 work was to restore the hashed (not salted also not an md5 hash) password in egw_ea_credentials with cred_pw_enc = 2.

My guess is; when an account has multiple identities egw is looking for a session that doesn’t exist (based on the first or last identity it finds) thus the profile error.

Randy

Beliebig-2 2017-12-14 16:07:35 UTC #4

Hm,
looks like a feature, not a bug.
Because no one is interested in.

Rgds

Beliebig-2 2017-12-19 16:54:41 UTC #5

Found the cause

The Problem is, when the mail pw is encrypted with the user pw (database -> egw_ea_credentials -> cred_pw_enc -> 3)
It looks like, that it doesn’t use the given active sync pw from your application to decrypt and in this case, it couldn’t create a session.

When the mail pw is encrypted with the system secret (database -> egw_ea_credentials -> cred_pw_enc -> 4) it works.

So, the problem is either now to force encryption with the system secret or found, why the user pw isn’t used (from the application)

RalfBecker 2018-01-24 08:14:29 UTC #6

The user password should be available in the session, as ActiveSync requests also need to be authenticated.

I never seen that problem. I have one suspicion: as the problem seems to happen with Ping requests, it might we your session timeout. Ping requests last at least 60min (long polling for push notifications) and default PHP session timeout (session.gc_max_lifetime in global php.ini) is be default only 1440 (~20min)). On all our systems we usually raise that limit to 14400 (= 4h).

Ralf

tarantir 2018-01-24 12:24:21 UTC #7

Hello Ralf, thank you for the reply. I have confirmed my EGW instance is using session.gc_max_lifetime = 14400 as specified in .htaccess

Repeating what I wrote earlier in the thread; my guess is; when an account has multiple identities egw is looking for a session that doesn’t exist (based on the first or last identity it finds). I say this because as soon as I removed the other identities the problem is resolved. If an EGW user has multiple accounts there is not a problem, so there is a work around. Inconvenient because a mail account for every identity is required.

Kind Regards,
Randy

RalfBecker 2018-01-24 12:45:21 UTC #8

.htaccess is not a good place for session.gc_max_lifetime, as it is a global setting. If some other php script on the whole server triggers a garbage collection for sessions, you EGroupware sessions are gone too!

If this should work reliably, you have to specify session.gc_max_lifetime only in you global php.ini.

Ralf

Beliebig-2 2018-01-24 22:10:06 UTC #9

Hi.

Think, i found the cause in egw.

When u create a new user and set up his mail as admin, then it will be encrypted with the egw hash so, database -> egw_ea_credentials -> cred_pw_enc -> 4

When you are logged is as user and try to edit your mailaccount, that the admin creates, database -> egw_ea_credentials -> cred_pw_enc changes to 3, encrypted with user hash.

Try in this case, you needn’t to change something, only open the edit popup and -> Save changes the value.

Solution: delete this mailaccount as admin and create it again, as admin, so that the pw is encrypted with the egw hash.

The “error” (message) is a hand made error and it doesn’t work with database -> egw_ea_credentials -> cred_pw_enc -> 3, it breaks, when this value is set.

I’m right with this?

Rgds.

RalfBecker 2018-01-25 06:24:37 UTC #10

We create the mail-accounts encrypted with the user password to store the mail password as secure as possible!

You have a problem with your session storage, which you need to fix!
For ActiveSync Ping requests to work, your session lifetime must be more then 60min.

Trying to weakening the system security might work around your real problem, but I can NOT recommend that.

Ralf

Beliebig-2 2018-01-25 14:04:52 UTC #11

Hi.

A Quote (api/src/Mail/Credentials.php):
/**

	 * Password in cleartext

	 */

	const CLEARTEXT = 0;

	/**

	 * Password encrypted with user password

	 *

	 * MCrypt algo 'tripledes' and mode 'ecb' or OpenSSL 'des-ede3'

	 * Key is direct user password, key-size 24 (truncated to 23 byte, if greater then 24 byte!)

	 */

	const USER = 1;

	/**

	 * Password encrypted with system secret

	 *

	 * MCrypt algo 'tripledes' and mode 'ecb' or OpenSSL 'des-ede3'

	 * Key is direct system secret, key-size 24 (truncated to 23 byte, if greater then 24 byte!)

	 */

	const SYSTEM = 2;

	/**

	 * Password encrypted with user password

	 *

	 * OpenSSL: AES-128-CBC, with key generated via hash_pbkdf2 sha256 hash and 12 byte binary salt (=16 char base64)

	 */

	const USER_AES = 3;

	/**

	 * Password encrypted with system secret

	 *

	 * OpenSSL: AES-128-CBC, with key generated via hash_pbkdf2 sha256 hash and 12 byte binary salt (=16 char base64)

	 */

	const SYSTEM_AES = 4;

It’s a session thing, but not as you think, because it works, when database -> egw_ea_credentials -> cred_pw_enc -> 4 -> SYSTEM_AES
and it does not work with database -> egw_ea_credentials -> cred_pw_enc -> 3 -> USER_AES
I’ve tried it with a clean egw installation, with only 1 additional user and tested it (changing cred_pw_enc by edit mailaccounts).
And have a “production” system, where i have users where it works -> when i create the mailaccount by admin -> cred_pw_enc -> 4,
it not works -> when the user edit his profile by himselfe cred_pw_enc -> 3.

So i think, that the encryption with userpassword does not work, because the userpassword is not used to decrypt or create a session.

Or does it work in your system?

Rgds.

RalfBecker 2018-01-25 14:22:22 UTC #12

What do you want to say with that quote?

Beliebig-2 2018-01-25 14:49:34 UTC #13

Hi.

Sry, it isn’t the full mail, i try to edit it.

Edit: done

You said: "We create the mail-accounts encrypted with the user password to store the mail password as secure as possible!"
But it is only given with USER_AES = 3;, not 4
and 4 is created, when the admin creates the mail account settings and in this case, sync does work.

Rgds.

RalfBecker 2018-01-25 15:16:13 UTC #14

If admin creates an account, we can not use the user password, as admin does not know it, so we use the system secret instead, but that is less secure (evil admin could eg. read other peoples mail).

Anyway your problem is that you loose the session and with the session the password!

Beliebig-2 2018-01-25 16:24:15 UTC #15

Hi.

Ok, another question:
What is the difference between creating a session encrypted by system and by user?

RalfBecker EGroupware GmbH
January 25
If admin creates an account, we can not use the user password, as admin does not know it, so we use the system secret instead, but that is less secure (evil admin could eg. read other peoples mail).

Anyway your problem is that you loose the session and with the session the password!

Visit Topic or reply to this email to respond.

Previous Replies

Beliebig-2
January 25
Hi.

Sry, it isn’t the full mail, i try to edit it.

Edit: done

You said: "We create the mail-accounts encrypted with the user password to store the mail password as secure as possible!"
But it is only given with USER_AES = 3;, not 4
and 4 is created, when the admin creates the mail account settings and in this case, sync does work.

Rgds.

RalfBecker EGroupware GmbH
January 25
What do you want to say with that quote?

Beliebig-2
January 25
Hi.

A Quote (api/src/Mail/Credentials.php):
/**

>  * Password in cleartext */ const CLEARTEXT = 0; /** * Password encrypted with user password * * MCrypt algo 'tripledes' and mode 'ecb' or OpenSSL 'des-ede3' * Key is direct user password, key-size 24 (truncated to 23 byte, if greater then 24 byte!) */ const USER = 1; /** * Password encrypted with system secret * * MCrypt algo 'tripledes' and mode 'ecb' or OpenSSL 'des-ede3' * Key is direct system secret, key-size 24 (truncated to 23 byte, if greater then 24 byte!) */ const SYSTEM = 2; /** * Password encrypted with user password * * OpenSSL: AES-128-CBC, with key generated via hash_pbkdf2 sha256 hash and 12 byte binary salt (=16 char base64) */ const USER_AES = 3; /** * Password encrypted with system secret * * OpenSSL: AES-128-CBC, with key generated via hash_pbkdf2 sha256 hash and 12 byte binary salt (=16 char base64) */ const SYSTEM_AES = 4;

tarantir 2018-01-25 23:40:25 UTC #16

Hi Ralf, as you indicated the gc_max_lifetime appears to have caused the issue!

For some reason when I grep’d php.ini it didn’t find the session.gc_max_lifetime entry. Upon manual inspection I found session.gc_max_lifetime set to 1440 which I updated to 14400 as recommended.

Now all is good.

Thank you!
Randy