4832 – Unable to authenticate against tlwebaccess if PAM modules writes debug data

Bug 4832 - Unable to authenticate against tlwebaccess if PAM modules writes debug data

Summary: Unable to authenticate against tlwebaccess if PAM modules writes debug data

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Web Access (show other bugs)
Version:	4.1.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.1.1
Assignee:	Peter Åstrand

URL:
Keywords:	hean01_tester, prosaic

Depends on:	4829
Blocks:
	Show dependency tree / graph

Reported:	2013-10-09 09:25 CEST by Peter Åstrand
Modified:	2013-10-31 11:13 CET (History)
CC List:	2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Peter Åstrand cendio

2013-10-09 09:25:27 CEST

If some PAM modules writes data to stderr, the tlwebaccess authentication will fail. This happens with libpam-mount, see:

https://bugs.launchpad.net/ubuntu/+source/libpam-mount/+bug/373732

Perhaps we should be more tolerant against data on stderr.

Comment 2 Peter Åstrand cendio

2013-10-09 11:14:11 CEST

Fixed in 28011. Good test cases:

* Normal single password auth, correct and wrong password

* Password with additional OTP, correct and wrong password or OTP

* Problems with pamtester execution

* Account without password

* Expired account (will test bug 4829). 

Tester should also verify SSO password transfer.

Comment 3 Aaron Sowry cendio

2013-10-23 13:55:23 CEST

Tested:
-------
* Normal single password auth, correct and wrong password
* Problems with pamtester execution (set pamtester to shell script which exists non-zero, got "Permission denied" message in webpage)
* Expired account
* SSO password transfer

To test:
--------
* Password with additional OTP, correct and wrong password or OTP
* Account without password

Comment 4 Henrik Andersson cendio

2013-10-29 13:54:57 CET

(In reply to comment #3)

> * Password with additional OTP, correct and wrong password or OTP

OTP has been extensively tested on bug #1367

Comment 5 Henrik Andersson cendio

2013-10-29 16:24:57 CET

Test case: cendio user with no password + otp takes me to a pam prompt after entering OTP code like this:


pamtester: account management done. [          ]

                                       [ login ]



Whatever i enter and hit login i will get to start login form with following error:

Error communicating with PAM subsystem: [Errno 6] No such device or address: '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'

Comment 6 Peter Åstrand cendio

2013-10-30 10:46:59 CET

(In reply to comment #5)
> Test case: cendio user with no password + otp takes me to a pam prompt after
> entering OTP code like this:
> 
> 
> pamtester: account management done. [          ]
> 
>                                        [ login ]
> 
> 
> 
> Whatever i enter and hit login i will get to start login form with following
> error:
> 
> Error communicating with PAM subsystem: [Errno 6] No such device or address:
> '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'

Not a very common configuration. Not even sure we can/should support this, but perhaps we can improve the error handling at least. 

Also note that it is "impossible" to have such a setup with modern versions of OpenSSH, since apparently you cannot have:

PermitEmptyPasswords yes
ChallengeResponseAuthentication yes

...at the same time. This will give you "Broken pipe" during login and this error in the log:

sshd[6698]: fatal: PAM: pam_setcred(): Permission denied

See:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315040
https://www.opencsw.org/mantis/print_bug_page.php?bug_id=2725

The last report hints that you can work around this by start using the module pam_unix_cred, but it's not available on RHEL. Sigh. 

Anyway, "pamtester" is not as picky as OpenSSH, so I'll make a try.

Comment 7 Peter Åstrand cendio

2013-10-30 10:58:19 CET

(In reply to comment #5)
> Test case: cendio user with no password + otp takes me to a pam prompt after
> entering OTP code like this:
> 
> 
> pamtester: account management done. [          ]
> 
>                                        [ login ]
> 
> 
> 
> Whatever i enter and hit login i will get to start login form with following
> error:
> 
> Error communicating with PAM subsystem: [Errno 6] No such device or address:
> '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'

Fixed in 28094.

Comment 8 Henrik Andersson cendio

2013-10-31 11:13:46 CET

(In reply to comment #7)
> (In reply to comment #5)
> > Test case: cendio user with no password + otp takes me to a pam prompt after
> > entering OTP code like this:
> > 
> > 
> > pamtester: account management done. [          ]
> > 
> >                                        [ login ]
> > 
> > 
> > 
> > Whatever i enter and hit login i will get to start login form with following
> > error:
> > 
> > Error communicating with PAM subsystem: [Errno 6] No such device or address:
> > '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'
> 
> Fixed in 28094.

Retested user+otp with and without password and it does work as expected.
Tested all combinations with wrong and correct passwords/pins to verify correct handling.

Note You need to log in before you can comment on or make changes to this bug.