www.cendio.com
Bug 4832 - Unable to authenticate against tlwebaccess if PAM modules writes debug data
: Unable to authenticate against tlwebaccess if PAM modules writes debug data
Status: CLOSED FIXED
: ThinLinc
Web Access
: 4.1.0
: PC Unknown
: P2 Normal
: 4.1.1
Assigned To:
:
:
: 4829
:
  Show dependency treegraph
 
Reported: 2013-10-09 09:25 by
Modified: 2013-10-31 11:13 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-10-09 09:25:27
If some PAM modules writes data to stderr, the tlwebaccess authentication will
fail. This happens with libpam-mount, see:

https://bugs.launchpad.net/ubuntu/+source/libpam-mount/+bug/373732

Perhaps we should be more tolerant against data on stderr.
------- Comment #2 From cendio 2013-10-09 11:14:11 -------
Fixed in 28011. Good test cases:

* Normal single password auth, correct and wrong password

* Password with additional OTP, correct and wrong password or OTP

* Problems with pamtester execution

* Account without password

* Expired account (will test bug 4829). 

Tester should also verify SSO password transfer.
------- Comment #3 From cendio 2013-10-23 13:55:23 -------
Tested:
-------
* Normal single password auth, correct and wrong password
* Problems with pamtester execution (set pamtester to shell script which exists
non-zero, got "Permission denied" message in webpage)
* Expired account
* SSO password transfer

To test:
--------
* Password with additional OTP, correct and wrong password or OTP
* Account without password
------- Comment #4 From cendio 2013-10-29 13:54:57 -------
(In reply to comment #3)

> * Password with additional OTP, correct and wrong password or OTP

OTP has been extensively tested on bug #1367
------- Comment #5 From cendio 2013-10-29 16:24:57 -------
Test case: cendio user with no password + otp takes me to a pam prompt after
entering OTP code like this:


pamtester: account management done. [          ]

                                       [ login ]



Whatever i enter and hit login i will get to start login form with following
error:

Error communicating with PAM subsystem: [Errno 6] No such device or address:
'/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'
------- Comment #6 From cendio 2013-10-30 10:46:59 -------
(In reply to comment #5)
> Test case: cendio user with no password + otp takes me to a pam prompt after
> entering OTP code like this:
> 
> 
> pamtester: account management done. [          ]
> 
>                                        [ login ]
> 
> 
> 
> Whatever i enter and hit login i will get to start login form with following
> error:
> 
> Error communicating with PAM subsystem: [Errno 6] No such device or address:
> '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'

Not a very common configuration. Not even sure we can/should support this, but
perhaps we can improve the error handling at least. 

Also note that it is "impossible" to have such a setup with modern versions of
OpenSSH, since apparently you cannot have:

PermitEmptyPasswords yes
ChallengeResponseAuthentication yes

...at the same time. This will give you "Broken pipe" during login and this
error in the log:

sshd[6698]: fatal: PAM: pam_setcred(): Permission denied

See:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315040
https://www.opencsw.org/mantis/print_bug_page.php?bug_id=2725

The last report hints that you can work around this by start using the module
pam_unix_cred, but it's not available on RHEL. Sigh. 

Anyway, "pamtester" is not as picky as OpenSSH, so I'll make a try.
------- Comment #7 From cendio 2013-10-30 10:58:19 -------
(In reply to comment #5)
> Test case: cendio user with no password + otp takes me to a pam prompt after
> entering OTP code like this:
> 
> 
> pamtester: account management done. [          ]
> 
>                                        [ login ]
> 
> 
> 
> Whatever i enter and hit login i will get to start login form with following
> error:
> 
> Error communicating with PAM subsystem: [Errno 6] No such device or address:
> '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'

Fixed in 28094.
------- Comment #8 From cendio 2013-10-31 11:13:46 -------
(In reply to comment #7)
> (In reply to comment #5)
> > Test case: cendio user with no password + otp takes me to a pam prompt after
> > entering OTP code like this:
> > 
> > 
> > pamtester: account management done. [          ]
> > 
> >                                        [ login ]
> > 
> > 
> > 
> > Whatever i enter and hit login i will get to start login form with following
> > error:
> > 
> > Error communicating with PAM subsystem: [Errno 6] No such device or address:
> > '/tmp/tlwebaccess-ff6ea72d7a256b94936812b1dae00cf9a3493045.in'
> 
> Fixed in 28094.

Retested user+otp with and without password and it does work as expected.
Tested all combinations with wrong and correct passwords/pins to verify correct
handling.