[tac_plus] tac_plus crashes
Richard Allen
ra at ok.is
Tue Jul 25 21:32:18 UTC 2017
Hello,
I'm trying to get tac_plus to work with LDAP and use two factor authentication. Here is my status thus far. I built 4.0.4.27a on CentOS 7.3. Im also using FreeIPA LDAP/Kerberos system.
In ldap I have two users. One configured for two factor and one not.
[root at ipa ~]# id rikkatest
uid=1130400006(rikkatest) gid=1130400006(rikkatest) groups=1130400004(cisco-enable),1130400006(rikkatest)
[root at ipa ~]# id netvik
uid=1130400009(netvik) gid=1130400009(netvik) groups=1130400004(cisco-enable),1130400008(service_accounts),1130400009(netvik)
[root at ipa ~]# ssh rikkatest at localhost
First Factor:
Second Factor:
Last login: Tue Jul 25 16:44:20 2017 from localhost
-sh-4.2$
[root at ipa netvik]# ssh netvik at localhost
Password:
Last login: Tue Jul 25 17:18:43 2017
-sh-4.2$
[root at ipa ~]# cat /etc/pam.d/tac_plus
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
[root at ipa ~]# cat /etc/tac_plus.conf
accounting file = /var/log/tacacs.log
key = testing123
host = 94.142.159.65 { key = testing123 }
host = pat.ok.is { key = testing123 }
group = enable {
login = PAM
}
user = netvik {
member = enable
}
user = rikkatest {
member = enable
}
(Yes, that's a lousy key, but only here for testing)
Running daemon as such:
[root at ipa ~]# tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g
Then I have a Cisco router configured to authenticate against this tac_plus server and it "works".
First the plain user with no two factor auth:
[ra at hamburger ~]$ telnet 10.199.6.87
Trying 10.199.6.87...
Connected to 10.199.6.87.
Escape character is '^]'.
User Access Verification
Username: netvik
Password:
Router>
Daemon stdout has:
Reading config
Version F4.0.4.27a Initialized 1
tac_plus server F4.0.4.27a starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=39821088
session request from pat.ok.is sock=6
connect from pat.ok.is [94.142.159.65]
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/START size=40
validation request from pat.ok.is
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 3879265348 (0xe738e444), Data length 28 (0x1c)
End header
Packet body hex dump:
0x1 0x1 0x1 0x1 0x0 0x6 0xe 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e
0x31 0x39 0x39 0x2e 0x32 0x35 0x33 0x2e 0x31 0x33 0x30
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=0 port_len=6 (0x6), rem_addr_len=14 (0xe)
data_len=0
User:
port:
tty578
rem_addr:
10.199.253.130
data:
End packet
Authen Start request
choose_authen returns 1
cfg_get_hvalue: name=94.142.159.65 attr=prompt
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=pat.ok.is attr=prompt
cfg_get_phvalue: returns NULL
Writing AUTHEN/GETUSER size=55
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 3879265348 (0xe738e444), Data length 43 (0x2b)
End header
Packet body hex dump:
0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73
0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa
0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=23
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 3879265348 (0xe738e444), Data length 11 (0xb)
End header
Packet body hex dump:
0x6 0x0 0x0 0x0 0x0 0x6e 0x65 0x74 0x76 0x69 0x6b
type=AUTHEN/CONT
user_msg_len 6 (0x6), user_data_len 0 (0x0)
flags=0x0
User msg:
netvik
User data:
End packet
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=netvik isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = enable
cfg_get_intvalue: returns 0
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=netvik isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
pam_verify netvik
pam_tacacs received 1 pam_messages
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=28
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 3879265348 (0xe738e444), Data length 16 (0x10)
End header
Packet body hex dump:
0x5 0x1 0xa 0x0 0x0 0x0 0x50 0x61 0x73 0x73 0x77 0x6f 0x72 0x64 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=10, data_len=0
msg:
Password:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=33
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 3879265348 (0xe738e444), Data length 21 (0x15)
End header
Packet body hex dump:
0x10 0x0 0x0 0x0 0x0 0x36 0x28 0x5b 0x35 0x31 0x76 0x22 0x4c 0x42 0x52 0x66
0x43 0x71 0x6d 0x7b 0x38
type=AUTHEN/CONT
user_msg_len 16 (0x10), user_data_len 0 (0x0)
flags=0x0
User msg:
6([51v"LBRfCqm{8
User data:
End packet
pam_verify returns 1
cfg_get_value: name=netvik isuser=1 attr=expires rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns NULL
Password has not expired <no expiry date set>
cfg_get_value: name=netvik isuser=1 attr=acl rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns NULL
login query for 'netvik' port tty578 from pat.ok.is accepted
Writing AUTHEN/SUCCEED size=18
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 3879265348 (0xe738e444), Data length 6 (0x6)
End header
Packet body hex dump:
0x1 0x0 0x0 0x0 0x0 0x0
type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0
msg_len=0, data_len=0
msg:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
pat.ok.is: disconnect
Then I try with the two factor user:
[ra at hamburger ~]$ telnet 10.199.6.87
Trying 10.199.6.87...
Connected to 10.199.6.87.
Escape character is '^]'.
User Access Verification
Username: rikkatest
First Factor:
Second Factor:
Router>
Seems to succeed nicely. In the mean time, daemon stdout has:
Reading config
Version F4.0.4.27a Initialized 1
tac_plus server F4.0.4.27a starting
socket FD 4 AF 2
socket FD 5 AF 10
uid=0 euid=0 gid=0 egid=0 s=38747936
session request from pat.ok.is sock=6
connect from pat.ok.is [94.142.159.65]
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/START size=40
validation request from pat.ok.is
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 1, flags 0x1
session_id 91926243 (0x57aaee3), Data length 28 (0x1c)
End header
Packet body hex dump:
0x1 0x1 0x1 0x1 0x0 0x6 0xe 0x0 0x74 0x74 0x79 0x35 0x37 0x38 0x31 0x30 0x2e
0x31 0x39 0x39 0x2e 0x32 0x35 0x33 0x2e 0x31 0x33 0x30
type=AUTHEN/START, priv_lvl = 1
action=login
authen_type=ascii
service=login
user_len=0 port_len=6 (0x6), rem_addr_len=14 (0xe)
data_len=0
User:
port:
tty578
rem_addr:
10.199.253.130
data:
End packet
Authen Start request
choose_authen returns 1
cfg_get_hvalue: name=94.142.159.65 attr=prompt
cfg_get_phvalue: returns NULL
cfg_get_hvalue: name=pat.ok.is attr=prompt
cfg_get_phvalue: returns NULL
Writing AUTHEN/GETUSER size=55
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 2, flags 0x1
session_id 91926243 (0x57aaee3), Data length 43 (0x2b)
End header
Packet body hex dump:
0x4 0x0 0x25 0x0 0x0 0x0 0xa 0x55 0x73 0x65 0x72 0x20 0x41 0x63 0x63 0x65 0x73
0x73 0x20 0x56 0x65 0x72 0x69 0x66 0x69 0x63 0x61 0x74 0x69 0x6f 0x6e 0xa 0xa
0x55 0x73 0x65 0x72 0x6e 0x61 0x6d 0x65 0x3a 0x20
type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0
msg_len=37, data_len=0
msg:
0xa User Access Verification 0xa
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=26
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 3, flags 0x1
session_id 91926243 (0x57aaee3), Data length 14 (0xe)
End header
Packet body hex dump:
0x9 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74
type=AUTHEN/CONT
user_msg_len 9 (0x9), user_data_len 0 (0x0)
flags=0x0
User msg:
rikkatest
User data:
End packet
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
choose_authen chose default_fn
Calling authentication function
cfg_get_value: name=rikkatest isuser=1 attr=nopassword rec=1
cfg_get_value: recurse group = enable
cfg_get_intvalue: returns 0
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
cfg_get_value: name=rikkatest isuser=1 attr=login rec=1
cfg_get_value: recurse group = enable
cfg_get_pvalue: returns PAM
pam_verify rikkatest
pam_tacacs received 2 pam_messages
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=32
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 4, flags 0x1
session_id 91926243 (0x57aaee3), Data length 20 (0x14)
End header
Packet body hex dump:
0x5 0x1 0xe 0x0 0x0 0x0 0x46 0x69 0x72 0x73 0x74 0x20 0x46 0x61 0x63 0x74 0x6f
0x72 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=14, data_len=0
msg:
First Factor:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=29
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 5, flags 0x1
session_id 91926243 (0x57aaee3), Data length 17 (0x11)
End header
Packet body hex dump:
0xc 0x0 0x0 0x0 0x0 0x72 0x69 0x6b 0x6b 0x61 0x74 0x65 0x73 0x74 0x31 0x32 0x33
type=AUTHEN/CONT
user_msg_len 12 (0xc), user_data_len 0 (0x0)
flags=0x0
User msg:
rikkatest123
User data:
End packet
pat.ok.is tty578: PAM_PROMPT_ECHO_OFF
Writing AUTHEN/GETPASS size=33
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 6, flags 0x1
session_id 91926243 (0x57aaee3), Data length 21 (0x15)
End header
Packet body hex dump:
0x5 0x1 0xf 0x0 0x0 0x0 0x53 0x65 0x63 0x6f 0x6e 0x64 0x20 0x46 0x61 0x63 0x74
0x6f 0x72 0x3a 0x20
type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1
msg_len=15, data_len=0
msg:
Second Factor:
data:
End packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Waiting for packet
cfg_get_hvalue: name=94.142.159.65 attr=key
cfg_get_phvalue: returns testing123
Read AUTHEN/CONT size=23
PACKET: key=testing123
version 192 (0xc0), type 1, seq no 7, flags 0x1
session_id 91926243 (0x57aaee3), Data length 11 (0xb)
End header
Packet body hex dump:
0x6 0x0 0x0 0x0 0x0 0x31 0x32 0x33 0x34 0x35 0x36
type=AUTHEN/CONT
user_msg_len 6 (0x6), user_data_len 0 (0x0)
flags=0x0
User msg:
123456
User data:
End packet
Segmentation fault (core dumped)
Looking into the core file we see:
[root at ipa ~]# gdb /usr/bin/tac_plus core.4494
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/tac_plus...Reading symbols from /usr/lib/debug/usr/bin/tac_plus.debug...done.
done.
[New LWP 4494]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `tac_plus -C /etc/tac_plus.conf -L -p 49 -d1016 -g'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000411f2a in pam_tacacs (nmsg=2, pmpp=0x7ffc0a0fe720, prpp=0x7ffc0a0fe710, appdata_ptr=0x693280) at pwlib.c:524
524 prpp[i]->resp = (char *)tac_malloc(acp->user_msg_len + 1);
(gdb) where
#0 0x0000000000411f2a in pam_tacacs (nmsg=2, pmpp=0x7ffc0a0fe720, prpp=0x7ffc0a0fe710, appdata_ptr=0x693280) at pwlib.c:524
#1 0x00007f5b17bd6b88 in prompt_2fa (pamh=pamh at entry=0x693390, pi=pi at entry=0x7ffc0a0fe800, prompt_fa1=0x7f5b17bda9fe "First Factor: ",
prompt_fa2=prompt_fa2 at entry=0x7f5b17bdaa0d "Second Factor: ") at src/sss_client/pam_sss.c:1323
#2 0x00007f5b17bd8426 in get_authtok_for_authentication (flags=<optimized out>, pi=0x7ffc0a0fe800, pamh=0x693390) at src/sss_client/pam_sss.c:1584
#3 pam_sss (task=<optimized out>, pamh=0x693390, pam_flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at src/sss_client/pam_sss.c:1826
#4 0x00007f5b19ef1f1a in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=<optimized out>, flags=0, pamh=0x693390)
at pam_dispatch.c:110
#5 _pam_dispatch (pamh=pamh at entry=0x693390, flags=0, choice=choice at entry=1) at pam_dispatch.c:426
#6 0x00007f5b19ef17e0 in pam_authenticate (pamh=0x693390, flags=<optimized out>) at pam_auth.c:34
#7 0x00000000004123dc in pam_verify (user=0x692f10 "rikkatest", passwd=0x693280 "") at pwlib.c:626
#8 0x0000000000411336 in verify (name=0x692f10 "rikkatest", passwd=0x693280 "", data=0x7ffc0a0fec10, recurse=1) at pwlib.c:160
#9 0x0000000000408fb9 in tac_login (data=0x7ffc0a0fec10, p=0x693280) at default_fn.c:294
#10 0x0000000000408c4e in default_fn (data=0x7ffc0a0fec10) at default_fn.c:167
#11 0x0000000000403856 in authenticate (datap=0x7ffc0a0fec10, typep=0x7ffc0a0feb80) at authen.c:329
#12 0x0000000000403329 in do_start (pak=0x692f50 "\300\001\001\001\203a&d") at authen.c:149
#13 0x0000000000403088 in authen (pak=0x692f50 "\300\001\001\001\203a&d") at authen.c:62
#14 0x0000000000414a70 in start_session () at tac_plus.c:767
#15 0x00000000004148bc in main (argc=8, argv=0x7ffc0a0ff308) at tac_plus.c:683
Some checking:
(gdb) print prpp
$1 = (struct pam_response **) 0x7ffc0a0fe710
(gdb) print i
$2 = 1
(gdb) print nmsg
$3 = 2
(gdb) print prpp[0]
$4 = (struct pam_response *) 0x6996a0
(gdb) print prpp[1]
$5 = (struct pam_response *) 0x5
(gdb) print prpp[0]->resp
$6 = 0x699660 "sdfsdf"
(gdb) print prpp[1]->resp
Cannot access memory at address 0x5
The most scary fact is that it does not matter what I type into the first and second factor prompts. Router always logs me in.
Can you think of anything here I can do to get this to work?
Best regards,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20170725/31a82b2c/attachment.html>
More information about the tac_plus
mailing list