PAM auth not working since irods upgrade to 4.3.X

[bzizou]

I upgraded my irods servers to 4.3.1 which are configured with PAM authentication. And then could no more authenticate with webdav. I upgraded my docker-davrods container to 4.3.0_1.5.0 but no success.

When trying to authenticate, the log of the container reports:

[Wed Mar 27 08:20:22.455920 2024] [davrods:warn] [pid 17] [client 172.17.0.1:45460] rcPamAuthRequest failed: -994000 = PAM_AUTH_PASSWORD_INVALID_TTL
[Wed Mar 27 08:20:22.463480 2024] [auth_basic:error] [pid 17] [client 172.17.0.1:45460] AH01617: user bzizou: authentication failure for "/davrods": Password Mismatch
172.17.0.1 - bzizou [27/Mar/2024:08:20:22 +0000] "GET /davrods HTTP/1.1" 401 381 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"

I tried to change PAM to pam_password into the /etc/httpd/irods/irods_environment.json (as it is a change of 4.2.x -> 4.3.x) with no more success

[alanking]

PAM_AUTH_PASSWORD_INVALID_TTL indicates that the TTL value being used by the client may be out of the configured range of acceptable values in the server. Can you confirm that the TTL being used by Davrods is in the accepted range of TTL values? See https://docs.irods.org/4.3.1/system_overview/configuration/#authentication-configuration for more details about the configuration if you aren't sure how to do this or what the values mean.

I'm happy to help answer any questions since I am the main culprit behind the TTL changes in 4.3.1... :)

[bzizou]

Thank you for this fast reply. Where do I configure the "TTL being used by Davrods "? I configured this, on the provider side:

 "plugin_configuration": {
        "authentication": {
            "pam": {
                "password_min_time": 7776000,
                "password_max_time": 31104000

Which gives into R_GRID_CONFIGURATION:

authentication | password_max_time        | 31104000
authentication | password_min_time        | 7776000

I made this configuration to have this wanted behavior: when the users do "iinit" whithout providing a ttl option, they are logged for 90 days (7776000 seconds). If the user provides a ttl, it can be as large as 360 days (31104000 seconds).

But I don't understand why davrods complains and where do I have to configure something regarding the ttl...

[bzizou]

Actually, I think that Davrods internally generates a credential (as if it were using iinit) with a ttl that is probably bellow my minimal accepted value of 7776000 seconds. But I dont'k know how to change this and I hope that it's not hard-coded. The fact is that with irods 4.3.1, the password_min_time is not only a minimum, but it is the default value for the iinit command...

[bzizou]

I think that I get it. It's hard-coded... https://github.com/UtrechtUniversity/davrods/blob/2a3cb96643802fe3d80a648c44819b147465c689/src/config.c#L86

[bzizou]

The real problem is the iinit command using password_min_time as a default value which is generally too low (121s by default). I guess that irods 4.3.1 lacks a password_default_time auth configuration.

[bzizou]

Check! That's it. So, I did ICAT=# update r_grid_configuration set option_value=3600 where option_name='password_min_time'; and Davrods works again!

[alanking]

To clarify, the default TTL (that is, when a TTL of 0 is provided) is the configured password_min_time. The default password_min_time is 121 seconds. Also, I would recommend using iadmin set_grid_configuration rather than modifying the database directly for configuring these values. Just my two cents.

The problem in this case (at least as I see it) is that Davrods has a hard-coded TTL of 1 hour, which falls outside of the configured range of minimum and maximum TTL (3600 < 7776000). For your use case, Davrods would need to have a default TTL value of 0 like iinit in order to have similar behavior (that is, it falls back to the default value of password_min_time). Changing your password_min_time is a workaround that will break your "default" use case (that is, when no TTL is provided, it will now default to 1 hour rather than 90 days).

The notion of a default TTL value is interesting, but could lead to more tripping hazards (need to make sure default value is in range). I am still of the opinion that password_min_time is a reasonable default to use, but we can take up that discussion over in an issue in https://github.com/irods/irods, I imagine.

[luijs]

I think it is both, there should be a password_default_time, and in davrods the ttl should be configured to use the password_min_time instead of hardcoded.