search

FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
102 stars 90 forks source link

PAM authentication thread crash when using built module to disable IPV6 #83

Closed repl-mike-roest closed 3 months ago

repl-mike-roest commented 9 months ago

We've been using pam_radius for a long time on Ubuntu 18.04 with no problems. Due to 18.04 being EOL we're working on upgrading to 22.04. 22.04 includes pam_radius 2.0.0. Due to CIS benchmarks we have ipv6 disabled on our machines and so originally we hit the issue described here: https://github.com/FreeRADIUS/freeradius-server/issues/4397

Using the suggestion from @alandekok in https://github.com/FreeRADIUS/freeradius-server/issues/4397#issuecomment-1458869392 I pulled down the current master of pam_radius 77da6f50 and built the debian package locally. Now we're getting passed the IPV6 issue but now I'm hitting: the following error (this happens on a machine with IPV6 enabled or disabled)

Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: 2.0.1 (git #77da6f50), built on Nov  2 2021 at 14:37:12
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=0 localifdown=no client_id='' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: Got user name: 'mike.roest'
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:31:53 ip-10-30-56-22 sshd[7618]: fatal: PAM: authentication thread exited unexpectedly

On the same machine with IPV6 enabled if I use the ubuntu included 2.0.0 the authentication works as expected:

Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: unrecognized option 'ipv6=no'
Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got user name mike.roest
Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Sending RADIUS request code 1
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got RADIUS response code 11
Nov 20 18:41:46 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:46 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got response to challenge code 11
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got response to challenge code 2
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: authentication succeeded
Nov 20 18:41:49 ip-10-30-56-22 sshd[8023]: Accepted keyboard-interactive/pam for mike.roest from 10.190.77.16 port 61022 ssh2
Nov 20 18:41:49 ip-10-30-56-22 sshd[8023]: pam_unix(sshd:session): session opened for user mike.roest(uid=1015) by (uid=0)

Next I've checked out the commit 8d373539 where the support was originally added and again I can successfully authenticate

Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: 2.0.1 (git #8d373539), built on Nov  2 2021 at 14:37:12
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=0 localifdown=no client_id='' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got user name: 'mike.roest'
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Sending RADIUS request code 1 (Access-Request)
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got RADIUS response code 11 (Access-Challenge)
Nov 20 18:45:48 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:48 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got response to challenge code 11
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got response to challenge code 2
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: authentication succeeded
Nov 20 18:45:51 ip-10-30-56-22 sshd[9776]: Accepted keyboard-interactive/pam for mike.roest from 10.190.77.16 port 61202 ssh2
Nov 20 18:45:51 ip-10-30-56-22 sshd[9776]: pam_unix(sshd:session): session opened for user mike.roest(uid=1015) by (uid=0)

So it seems like somewhere between 8d373539 and 77da6f50 there was a crasher introduced. I'm going to move forward using the module built from 8d373539 but I thought I would report the issue.

stevenmoto commented 3 months ago

Confirming same issue as @repl-mike-roest Will need to use https://github.com/FreeRADIUS/pam_radius/commit/8d373539bb9f13b0abfe8bcae0095a930a00fad0 in a strict ipv4 environment.

alandekok commented 3 months ago

I believe this is fixed in the latest version. Can you please try again?

stevenmoto commented 3 months ago

Hi @alandekok

Building with latest code, I was able to use auth sufficient pam_radius_auth.so ipv6=no No thread crash and was able to use radius server as 2FA check.

Thanks! I think this issue is closed.