pam_yubico 2.27: 'make test check' fails , ykclient return value (109): Error performing curl

[agn-ceg]

Hi, I was trying to install pam_yubico on Arch Linux 5.3.7-arch1-2-ARCH and encountered problems with make check install when I tried to build it. I have also tried to install the AUR package with makepkg and it too fails in a similar way. It seems that it is pam_test that fails. This is similar to https://github.com/Yubico/yubico-pam/issues/64 but as far as I can see it is not obvious that iptables is involved in my case. If anyone has a clue on how to deal with this I would be very grateful.

pam_yubico 2.27: tests/test-suite.log

• TOTAL: 2
• PASS: 1
• SKIP: 0
• XFAIL: 0
• FAIL: 1
• XPASS: 0
• ERROR: 0

.. contents:: :depth: 2

FAIL: pam_test

and from pam_test.log:

debug: pam_yubico.c:1233 (pam_sm_authenticate): OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
debug: pam_yubico.c:1234 (pam_sm_authenticate): Token is associated to the user. Validating the OTP...
debug: pam_yubico.c:1236 (pam_sm_authenticate): ykclient return value (109): Error performing curl
debug: pam_yubico.c:1237 (pam_sm_authenticate): ykclient URL used: 
debug: pam_yubico.c:1305 (pam_sm_authenticate): done. [error]
killed 56024, 56025 and 56026
FAIL pam_test (exit status: 1)

Thanks, agc

[eworm-de]

I see the same when rebuilding the official Arch package.

[klali]

Can you attach the full pam_test.log ?

[eworm-de]

Sure, here we go:

YKVAL mockup started on 30559 at ./aux/ykval.pl line 52.
YKVAL mockup started on 17502 at ./aux/ykval.pl line 52.
LDAP mockup started at ./aux/ldap.pl line 101, <DATA> line 755.
in pam_get_user()
in pam_get_item() 5 for 0
in conv_func()
validation for vvincredibletrerdegkkrkkneieultcjdghrejjbckh (on port 17502) at ./aux/ykval.pl line 62, <GEN1> line 1.
in pam_strerror()
in pam_set_data() yubico_setcred_return
test 1 failed!
debug: pam_yubico.c:905 (parse_cfg): called.
debug: pam_yubico.c:906 (parse_cfg): flags 0 argc 4
debug: pam_yubico.c:908 (parse_cfg): argv[0]=id=1
debug: pam_yubico.c:908 (parse_cfg): argv[1]=url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
debug: pam_yubico.c:908 (parse_cfg): argv[2]=authfile=./aux/authfile
debug: pam_yubico.c:908 (parse_cfg): argv[3]=debug
debug: pam_yubico.c:909 (parse_cfg): id=1
debug: pam_yubico.c:910 (parse_cfg): key=(null)
debug: pam_yubico.c:911 (parse_cfg): debug=1
debug: pam_yubico.c:912 (parse_cfg): debug_file=1
debug: pam_yubico.c:913 (parse_cfg): alwaysok=0
debug: pam_yubico.c:914 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:915 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:916 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:917 (parse_cfg): always_prompt=0
debug: pam_yubico.c:918 (parse_cfg): nullok=0
debug: pam_yubico.c:919 (parse_cfg): ldap_starttls=0
debug: pam_yubico.c:920 (parse_cfg): ldap_bind_as_user=0
debug: pam_yubico.c:921 (parse_cfg): authfile=./aux/authfile
debug: pam_yubico.c:922 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:923 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:924 (parse_cfg): ldap_bind_user=(null)
debug: pam_yubico.c:925 (parse_cfg): ldap_bind_password=(null)
debug: pam_yubico.c:926 (parse_cfg): ldap_filter=(null)
debug: pam_yubico.c:927 (parse_cfg): ldap_cacertfile=(null)
debug: pam_yubico.c:928 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:929 (parse_cfg): ldap_clientcertfile=(null)
debug: pam_yubico.c:930 (parse_cfg): ldap_clientkeyfile=(null)
debug: pam_yubico.c:931 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:932 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:933 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:934 (parse_cfg): url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
debug: pam_yubico.c:935 (parse_cfg): urllist=(null)
debug: pam_yubico.c:936 (parse_cfg): capath=(null)
debug: pam_yubico.c:937 (parse_cfg): cainfo=(null)
debug: pam_yubico.c:938 (parse_cfg): proxy=(null)
debug: pam_yubico.c:939 (parse_cfg): token_id_length=12
debug: pam_yubico.c:940 (parse_cfg): mode=client
debug: pam_yubico.c:941 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:977 (pam_sm_authenticate): pam_yubico version: 2.27
debug: pam_yubico.c:992 (pam_sm_authenticate): get user returned: foo
debug: pam_yubico.c:173 (authorize_user_token): Using system-wide auth_file ./aux/authfile
debug: util.c:163 (check_user_token): Authorization line: foo:vvincredible
debug: util.c:168 (check_user_token): Matched user: foo
debug: util.c:174 (check_user_token): Authorization token: vvincredible
debug: util.c:174 (check_user_token): Authorization token: (null)
debug: util.c:163 (check_user_token): Authorization line: test:cccccccfhcbe:ccccccbchvth:
debug: pam_yubico.c:1114 (pam_sm_authenticate): Tokens found for user
debug: pam_yubico.c:1177 (pam_sm_authenticate): conv returned 44 bytes
debug: pam_yubico.c:1191 (pam_sm_authenticate): Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:173 (authorize_user_token): Using system-wide auth_file ./aux/authfile
debug: util.c:163 (check_user_token): Authorization line: foo:vvincredible
debug: util.c:168 (check_user_token): Matched user: foo
debug: util.c:174 (check_user_token): Authorization token: vvincredible
debug: util.c:178 (check_user_token): Match user/token as foo/vvincredible
debug: pam_yubico.c:1233 (pam_sm_authenticate): OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible 
debug: pam_yubico.c:1234 (pam_sm_authenticate): Token is associated to the user. Validating the OTP...
debug: pam_yubico.c:1236 (pam_sm_authenticate): ykclient return value (109): Error performing curl
debug: pam_yubico.c:1237 (pam_sm_authenticate): ykclient URL used: 
debug: pam_yubico.c:1305 (pam_sm_authenticate): done. [error]
killed 3087, 3088 and 3089
FAIL pam_test (exit status: 1)

If you are interested I can give ssh access to an affected machine, just ping me via mail.

[klali]

poking a bit at this I can reproduce it in a VM, adding curl verbose it finally reports "Received HTTP/0.9 when not allowed" I guess the HTTP server in tests/aux/ykval.pl will need to speak a bit more of HTTP.

[klali]

I've just pushed a branch with a potential fix for this, please try it?

[agn-ceg]

I tested the fix and it seems to pass the tests now:

$ sudo make check install Making check in . make[1]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam' CC ykpamcfg.o CC util.lo util.c: In function ‘filter_result_len’: util.c:575:11: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] 575 | strncpy(output, filter, len); | ^~~~~~~~ util.c:572:15: note: length computed here 572 | len = strlen(filter); | ^~~~~~ util.c:584:15: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] 584 | strncpy(output, user, strlen(user)); | ^~~~~~~~~~~ CCLD libpam_util.la CCLD ykpamcfg CC drop_privs.lo CC pam_yubico.lo CCLD libpam_real.la CCLD pam_yubico.la /bin/sh /home/antti/Downloads/Linux/test/yubico-pam/build-aux/missing a2x -L --format=manpage -a revdate="Version 2.27" ykpamcfg.1.txt /bin/sh /home/antti/Downloads/Linux/test/yubico-pam/build-aux/missing a2x -L --format=manpage -a revdate="Version 2.27" pam_yubico.8.txt make[1]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam' Making check in tests make[1]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make util_test pam_test make[2]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' CC util_test.o CCLD util_test CC pam_test-pam_test.o CCLD pam_test make[2]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make check-TESTS make[2]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[3]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' PASS: util_test PASS: pam_test

Testsuite summary for pam_yubico 2.27

TOTAL: 2

PASS: 2

SKIP: 0

XFAIL: 0

FAIL: 0

XPASS: 0

ERROR: 0

============================================================================ make[3]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[2]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[1]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' Making install in . make[1]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam' make[2]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam' /usr/bin/mkdir -p '/usr/local/lib/security' /bin/sh ./libtool --mode=install /usr/bin/install -c pam_yubico.la '/usr/local/lib/security' libtool: install: /usr/bin/install -c .libs/pam_yubico.so /usr/local/lib/security/pam_yubico.so libtool: install: /usr/bin/install -c .libs/pam_yubico.lai /usr/local/lib/security/pam_yubico.la libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/opt/android-sdk/tools:/opt/android-sdk/tools/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/sbin" ldconfig -n /usr/local/lib/security

Libraries have been installed in: /usr/local/lib/security

If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the '-LLIBDIR' flag during linking and do at least one of the following:

• add LIBDIR to the 'LD_LIBRARY_PATH' environment variable during execution
• add LIBDIR to the 'LD_RUN_PATH' environment variable during linking
• use the '-Wl,-rpath -Wl,LIBDIR' linker flag
• have your system administrator add LIBDIR to '/etc/ld.so.conf'

See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages.

/usr/bin/mkdir -p '/usr/local/bin' /bin/sh ./libtool --mode=install /usr/bin/install -c ykpamcfg '/usr/local/bin' libtool: install: /usr/bin/install -c ykpamcfg /usr/local/bin/ykpamcfg /usr/bin/mkdir -p '/usr/local/share/man/man1' /usr/bin/install -c -m 644 ykpamcfg.1 '/usr/local/share/man/man1' /usr/bin/mkdir -p '/usr/local/share/man/man8' /usr/bin/install -c -m 644 pam_yubico.8 '/usr/local/share/man/man8' make[2]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam' make[1]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam' Making install in tests make[1]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[2]: Entering directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[2]: Nothing to be done for 'install-exec-am'. make[2]: Nothing to be done for 'install-data-am'. make[2]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' make[1]: Leaving directory '/home/antti/Downloads/Linux/test/yubico-pam/tests' $

[eworm-de]

Both tests pass with 7926f8dd41c007cbe19751d4ecfd0618dd937962. Thanks a lot!