From ra at ok.is Tue Jul 25 21:32:18 2017 From: ra at ok.is (Richard Allen) Date: Tue, 25 Jul 2017 21:32:18 +0000 (GMT) Subject: [tac_plus] tac_plus crashes Message-ID: <2108344222.1265418.1501018338795.JavaMail.zimbra@ok.is> Hello, I'm trying to get tac_plus to work with LDAP and use two factor authentication. Here is my status thus far. I built 4.0.4.27a on CentOS 7.3. Im also using FreeIPA LDAP/Kerberos system. In ldap I have two users. One configured for two factor and one not. [root at ipa ~]# id rikkatest uid=1130400006(rikkatest) gid=1130400006(rikkatest) groups=1130400004(cisco-enable),1130400006(rikkatest) [root at ipa ~]# id netvik uid=1130400009(netvik) gid=1130400009(netvik) groups=1130400004(cisco-enable),1130400008(service_accounts),1130400009(netvik) [root at ipa ~]# ssh rikkatest at localhost First Factor: Second Factor: Last login: Tue Jul 25 16:44:20 2017 from localhost -sh-4.2$ [root at ipa netvik]# ssh netvik at localhost Password: Last login: Tue Jul 25 17:18:43 2017 -sh-4.2$ [root at ipa ~]# cat /etc/pam.d/tac_plus #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so [root at ipa ~]# cat /etc/tac_plus.conf accounting file = /var/log/tacacs.log key = testing123 host = 94.142.159.65 { key = testing123 } host = pat.ok.is { key = testing123 } group = enable { login = PAM } user = netvik { member = enable } user = rikkatest { member = enable } (Yes, that's a lousy key, but only here for testing) Running daemon as such: [root at ipa ~]# tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g Then I have a Cisco router configured to authenticate against this tac_plus server and it "works". First the plain user with no two factor auth: [ra at hamburger ~]$ telnet 10.199.6.87 Trying 10.199.6.87... Connected to 10.199.6.87. Escape character is '^]'. User Access Verification Username: netvik Password: Router> Daemon stdout has: Reading config Version F4.0.4.27a Initialized 1 tac_plus server F4.0.4.27a starting socket FD 4 AF 2 socket FD 5 AF 10 uid=0 euid=0 gid=0 egid=0 s=39821088 session request from pat.ok.is sock=6 connect from pat.ok.is [94.142.159.65] Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/START size=40 validation request from pat.ok.is PACKET: key=testing123 version 192 (0xc0), type 1, seq no 1, flags 0x1 session_id 3879265348 (0xe738e444), Data length 28 (0x1c) End header Packet body hex dump: 0x1 0x1 0x1 0x1 0x0 0x6 0xe 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e 0x31 0x39 0x39 0x2e 0x32 0x35 0x33 0x2e 0x31 0x33 0x30 type=AUTHEN/START, priv_lvl = 1 action=login authen_type=ascii service=login user_len=0 port_len=6 (0x6), rem_addr_len=14 (0xe) data_len=0 User: port: tty578 rem_addr: 10.199.253.130 data: End packet Authen Start request choose_authen returns 1 cfg_get_hvalue: name=94.142.159.65 attr=prompt cfg_get_phvalue: returns NULL cfg_get_hvalue: name=pat.ok.is attr=prompt cfg_get_phvalue: returns NULL Writing AUTHEN/GETUSER size=55 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 2, flags 0x1 session_id 3879265348 (0xe738e444), Data length 43 (0x2b) End header Packet body hex dump: 0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73 0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa 0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20 type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 msg_len=37, data_len=0 msg: 0xa User Access Verification 0xa data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/CONT size=23 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 3, flags 0x1 session_id 3879265348 (0xe738e444), Data length 11 (0xb) End header Packet body hex dump: 0x6 0x0 0x0 0x0 0x0 0x6e 0x65 0x74 0x76 0x69 0x6b type=AUTHEN/CONT user_msg_len 6 (0x6), user_data_len 0 (0x0) flags=0x0 User msg: netvik User data: End packet cfg_get_value: name=netvik isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM cfg_get_value: name=netvik isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM choose_authen chose default_fn Calling authentication function cfg_get_value: name=netvik isuser=1 attr=nopassword rec=1 cfg_get_value: recurse group = enable cfg_get_intvalue: returns 0 cfg_get_value: name=netvik isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM cfg_get_value: name=netvik isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM pam_verify netvik pam_tacacs received 1 pam_messages pat.ok.is tty578: PAM_PROMPT_ECHO_OFF Writing AUTHEN/GETPASS size=28 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 4, flags 0x1 session_id 3879265348 (0xe738e444), Data length 16 (0x10) End header Packet body hex dump: 0x5 0x1 0xa 0x0 0x0 0x0 0x50 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x3a 0x20 type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=10, data_len=0 msg: Password: data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/CONT size=33 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 5, flags 0x1 session_id 3879265348 (0xe738e444), Data length 21 (0x15) End header Packet body hex dump: 0x10 0x0 0x0 0x0 0x0 0x36 0x28 0x5b 0x35 0x31 0x76 0x22 0x4c 0x42 0x52 0x66 0x43 0x71 0x6d 0x7b 0x38 type=AUTHEN/CONT user_msg_len 16 (0x10), user_data_len 0 (0x0) flags=0x0 User msg: 6([51v"LBRfCqm{8 User data: End packet pam_verify returns 1 cfg_get_value: name=netvik isuser=1 attr=expires rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns NULL Password has not expired cfg_get_value: name=netvik isuser=1 attr=acl rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns NULL login query for 'netvik' port tty578 from pat.ok.is accepted Writing AUTHEN/SUCCEED size=18 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 6, flags 0x1 session_id 3879265348 (0xe738e444), Data length 6 (0x6) End header Packet body hex dump: 0x1 0x0 0x0 0x0 0x0 0x0 type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 msg_len=0, data_len=0 msg: data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 pat.ok.is: disconnect Then I try with the two factor user: [ra at hamburger ~]$ telnet 10.199.6.87 Trying 10.199.6.87... Connected to 10.199.6.87. Escape character is '^]'. User Access Verification Username: rikkatest First Factor: Second Factor: Router> Seems to succeed nicely. In the mean time, daemon stdout has: Reading config Version F4.0.4.27a Initialized 1 tac_plus server F4.0.4.27a starting socket FD 4 AF 2 socket FD 5 AF 10 uid=0 euid=0 gid=0 egid=0 s=38747936 session request from pat.ok.is sock=6 connect from pat.ok.is [94.142.159.65] Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/START size=40 validation request from pat.ok.is PACKET: key=testing123 version 192 (0xc0), type 1, seq no 1, flags 0x1 session_id 91926243 (0x57aaee3), Data length 28 (0x1c) End header Packet body hex dump: 0x1 0x1 0x1 0x1 0x0 0x6 0xe 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e 0x31 0x39 0x39 0x2e 0x32 0x35 0x33 0x2e 0x31 0x33 0x30 type=AUTHEN/START, priv_lvl = 1 action=login authen_type=ascii service=login user_len=0 port_len=6 (0x6), rem_addr_len=14 (0xe) data_len=0 User: port: tty578 rem_addr: 10.199.253.130 data: End packet Authen Start request choose_authen returns 1 cfg_get_hvalue: name=94.142.159.65 attr=prompt cfg_get_phvalue: returns NULL cfg_get_hvalue: name=pat.ok.is attr=prompt cfg_get_phvalue: returns NULL Writing AUTHEN/GETUSER size=55 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 2, flags 0x1 session_id 91926243 (0x57aaee3), Data length 43 (0x2b) End header Packet body hex dump: 0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73 0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa 0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20 type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0 msg_len=37, data_len=0 msg: 0xa User Access Verification 0xa data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/CONT size=26 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 3, flags 0x1 session_id 91926243 (0x57aaee3), Data length 14 (0xe) End header Packet body hex dump: 0x9 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74 type=AUTHEN/CONT user_msg_len 9 (0x9), user_data_len 0 (0x0) flags=0x0 User msg: rikkatest User data: End packet cfg_get_value: name=rikkatest isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM cfg_get_value: name=rikkatest isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM choose_authen chose default_fn Calling authentication function cfg_get_value: name=rikkatest isuser=1 attr=nopassword rec=1 cfg_get_value: recurse group = enable cfg_get_intvalue: returns 0 cfg_get_value: name=rikkatest isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM cfg_get_value: name=rikkatest isuser=1 attr=login rec=1 cfg_get_value: recurse group = enable cfg_get_pvalue: returns PAM pam_verify rikkatest pam_tacacs received 2 pam_messages pat.ok.is tty578: PAM_PROMPT_ECHO_OFF Writing AUTHEN/GETPASS size=32 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 4, flags 0x1 session_id 91926243 (0x57aaee3), Data length 20 (0x14) End header Packet body hex dump: 0x5 0x1 0xe 0x0 0x0 0x0 0x46 0x69 0x72 0x73 0x74 0x20 0x46 0x61 0x63 0x74 0x6f 0x72 0x3a 0x20 type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=14, data_len=0 msg: First Factor: data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/CONT size=29 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 5, flags 0x1 session_id 91926243 (0x57aaee3), Data length 17 (0x11) End header Packet body hex dump: 0xc 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74 0x31 0x32 0x33 type=AUTHEN/CONT user_msg_len 12 (0xc), user_data_len 0 (0x0) flags=0x0 User msg: rikkatest123 User data: End packet pat.ok.is tty578: PAM_PROMPT_ECHO_OFF Writing AUTHEN/GETPASS size=33 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 6, flags 0x1 session_id 91926243 (0x57aaee3), Data length 21 (0x15) End header Packet body hex dump: 0x5 0x1 0xf 0x0 0x0 0x0 0x53 0x65 0x63 0x6f 0x6e 0x64 0x20 0x46 0x61 0x63 0x74 0x6f 0x72 0x3a 0x20 type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 msg_len=15, data_len=0 msg: Second Factor: data: End packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Waiting for packet cfg_get_hvalue: name=94.142.159.65 attr=key cfg_get_phvalue: returns testing123 Read AUTHEN/CONT size=23 PACKET: key=testing123 version 192 (0xc0), type 1, seq no 7, flags 0x1 session_id 91926243 (0x57aaee3), Data length 11 (0xb) End header Packet body hex dump: 0x6 0x0 0x0 0x0 0x0 0x31 0x32 0x33 0x34 0x35 0x36 type=AUTHEN/CONT user_msg_len 6 (0x6), user_data_len 0 (0x0) flags=0x0 User msg: 123456 User data: End packet Segmentation fault (core dumped) Looking into the core file we see: [root at ipa ~]# gdb /usr/bin/tac_plus core.4494 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/bin/tac_plus...Reading symbols from /usr/lib/debug/usr/bin/tac_plus.debug...done. done. [New LWP 4494] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000411f2a in pam_tacacs (nmsg=2, pmpp=0x7ffc0a0fe720, prpp=0x7ffc0a0fe710, appdata_ptr=0x693280) at pwlib.c:524 524 prpp[i]->resp = (char *)tac_malloc(acp->user_msg_len + 1); (gdb) where #0 0x0000000000411f2a in pam_tacacs (nmsg=2, pmpp=0x7ffc0a0fe720, prpp=0x7ffc0a0fe710, appdata_ptr=0x693280) at pwlib.c:524 #1 0x00007f5b17bd6b88 in prompt_2fa (pamh=pamh at entry=0x693390, pi=pi at entry=0x7ffc0a0fe800, prompt_fa1=0x7f5b17bda9fe "First Factor: ", prompt_fa2=prompt_fa2 at entry=0x7f5b17bdaa0d "Second Factor: ") at src/sss_client/pam_sss.c:1323 #2 0x00007f5b17bd8426 in get_authtok_for_authentication (flags=, pi=0x7ffc0a0fe800, pamh=0x693390) at src/sss_client/pam_sss.c:1584 #3 pam_sss (task=, pamh=0x693390, pam_flags=, argc=, argv=) at src/sss_client/pam_sss.c:1826 #4 0x00007f5b19ef1f1a in _pam_dispatch_aux (use_cached_chain=, resumed=, h=, flags=0, pamh=0x693390) at pam_dispatch.c:110 #5 _pam_dispatch (pamh=pamh at entry=0x693390, flags=0, choice=choice at entry=1) at pam_dispatch.c:426 #6 0x00007f5b19ef17e0 in pam_authenticate (pamh=0x693390, flags=) at pam_auth.c:34 #7 0x00000000004123dc in pam_verify (user=0x692f10 "rikkatest", passwd=0x693280 "") at pwlib.c:626 #8 0x0000000000411336 in verify (name=0x692f10 "rikkatest", passwd=0x693280 "", data=0x7ffc0a0fec10, recurse=1) at pwlib.c:160 #9 0x0000000000408fb9 in tac_login (data=0x7ffc0a0fec10, p=0x693280) at default_fn.c:294 #10 0x0000000000408c4e in default_fn (data=0x7ffc0a0fec10) at default_fn.c:167 #11 0x0000000000403856 in authenticate (datap=0x7ffc0a0fec10, typep=0x7ffc0a0feb80) at authen.c:329 #12 0x0000000000403329 in do_start (pak=0x692f50 "\300\001\001\001\203a&d") at authen.c:149 #13 0x0000000000403088 in authen (pak=0x692f50 "\300\001\001\001\203a&d") at authen.c:62 #14 0x0000000000414a70 in start_session () at tac_plus.c:767 #15 0x00000000004148bc in main (argc=8, argv=0x7ffc0a0ff308) at tac_plus.c:683 Some checking: (gdb) print prpp $1 = (struct pam_response **) 0x7ffc0a0fe710 (gdb) print i $2 = 1 (gdb) print nmsg $3 = 2 (gdb) print prpp[0] $4 = (struct pam_response *) 0x6996a0 (gdb) print prpp[1] $5 = (struct pam_response *) 0x5 (gdb) print prpp[0]->resp $6 = 0x699660 "sdfsdf" (gdb) print prpp[1]->resp Cannot access memory at address 0x5 The most scary fact is that it does not matter what I type into the first and second factor prompts. Router always logs me in. Can you think of anything here I can do to get this to work? Best regards, Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmahoney at isc.org Thu Jul 27 09:54:03 2017 From: dmahoney at isc.org (Dan Mahoney) Date: Thu, 27 Jul 2017 02:54:03 -0700 Subject: [tac_plus] tac_plus coring Under FreeBSD 10.3-AMD64 with pam Message-ID: <26C10BDD-1A5B-403A-A04F-6FBCBD3513B7@isc.org> All, This is a bit bewildering. We have two systems running tac_plus, and after an upgrade to 10.3, tac_plus no longer wants to speak to PAM/Kerberos Weirdly, the error we get when it dies seems to come from Kerberos, since the string ?sha1 checksum failed? is not in any of the tac_plus code. I?ve managed to fix this by installing an alternate pam_krb5 instead of the base one, but it?s still an odd error. How could I collect more info to help debug this? /usr/local/sbin/tac_plus -g -d 16 -d 32 -d 8 -C /usr/local/etc/tac_plus.conf -t -U root Reading config Version F4.0.4.28 Initialized 1 tac_plus server F4.0.4.28 starting socket FD 5 AF 28 socket FD 7 AF 2 uid=0 euid=0 gid=559 egid=559 s=33649520 connect from 149.20.60.11 [149.20.60.11] pam_verify dmahoney pam_tacacs received 1 pam_messages 149.20.60.11 unknown-port: PAM_PROMPT_ECHO_OFF tac_plus: sha1 checksum failed Abort From alan.mckinnon at gmail.com Thu Jul 27 14:26:40 2017 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Thu, 27 Jul 2017 16:26:40 +0200 Subject: [tac_plus] tac_plus coring Under FreeBSD 10.3-AMD64 with pam In-Reply-To: <26C10BDD-1A5B-403A-A04F-6FBCBD3513B7@isc.org> References: <26C10BDD-1A5B-403A-A04F-6FBCBD3513B7@isc.org> Message-ID: <7f79adcd-a37f-1deb-9d86-aaa7c1421350@gmail.com> On 27/07/2017 11:54, Dan Mahoney wrote: > All, > > This is a bit bewildering. We have two systems running tac_plus, and after an upgrade to 10.3, tac_plus no longer wants to speak to PAM/Kerberos > > Weirdly, the error we get when it dies seems to come from Kerberos, since the string ?sha1 checksum failed? is not in any of the tac_plus code. > > I?ve managed to fix this by installing an alternate pam_krb5 instead of the base one, but it?s still an odd error. > > How could I collect more info to help debug this? > > /usr/local/sbin/tac_plus -g -d 16 -d 32 -d 8 -C /usr/local/etc/tac_plus.conf -t -U root > Reading config > Version F4.0.4.28 Initialized 1 > tac_plus server F4.0.4.28 starting > socket FD 5 AF 28 > socket FD 7 AF 2 > uid=0 euid=0 gid=559 egid=559 s=33649520 > connect from 149.20.60.11 [149.20.60.11] > pam_verify dmahoney > pam_tacacs received 1 pam_messages > 149.20.60.11 unknown-port: PAM_PROMPT_ECHO_OFF > tac_plus: sha1 checksum failed > Abort Not at all weird. The base version of pam_krb5 in FreeBSD-10.3 does not appear to support SHA1, but the version in pkg and/or ports does. So installing from pkg/ports to get functionality above what base gives, as you did, was the correct thing to do. -- Alan McKinnon alan.mckinnon at gmail.com