search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
10.64k stars 1.07k forks source link

unable to elevate to administrative access when fingerprint auth is enabled #14695

Open giorgiopiatti opened 3 years ago

giorgiopiatti commented 3 years ago

Cockpit version: 228 OS: Fedora 32

Hello

When I enable the option to authenticated by fingerprint in the OS I cannot anymore elevate my access to administrative mode. Steps to reproduce the issue:

  1. Enable fingerprint auth
  2. Login web console
  3. click "turn on administrative access"
  4. click "authenticate"

Following the above steps, I get "protocol-error".

If I disable instead the fingerprint authentication, and by following the same steps as above I can successfully authenticate by providing my user password. 

Oct 03 21:44:27 carbon systemd[1]: Started Cockpit Web Service http-redirect instance.
Oct 03 21:44:27 carbon audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit-wsinstance-http-redirect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? termina>
Oct 03 21:44:28 carbon audit[14271]: USER_AUTH pid=14271 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=pam_usertype,pam_localuser,pam_unix acct="gio" exe="/usr/libexe>
Oct 03 21:44:28 carbon audit[14271]: USER_ACCT pid=14271 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="gio" exe="/usr/libexec/cockpit-session>
Oct 03 21:44:28 carbon audit[14271]: CRED_ACQ pid=14271 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="gio" exe="/usr/libexec/cockpit-session" ho>
Oct 03 21:44:28 carbon audit[14271]: USER_ROLE_CHANGE pid=14271 uid=0 auid=1000 ses=6 subj=system_u:system_r:cockpit_session_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined>
Oct 03 21:44:28 carbon cockpit-session[14271]: pam_ssh_add: Failed adding some keys
Oct 03 21:44:28 carbon systemd-logind[1555]: New session 6 of user gio.
Oct 03 21:44:28 carbon systemd[1]: Started Session 6 of user gio.
Oct 03 21:44:28 carbon cockpit-session[14271]: pam_unix(cockpit:session): session opened for user gio by (uid=0)
Oct 03 21:44:28 carbon audit[14271]: USER_START pid=14271 uid=0 auid=1000 ses=6 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_li>
Oct 03 21:44:28 carbon audit[14271]: CRED_REFR pid=14271 uid=0 auid=1000 ses=6 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="gio" exe="/usr/libexec/cockpit-session" hostname=? addr=>
Oct 03 21:44:28 carbon polkitd[1525]: Registered Authentication Agent for unix-session:6 (system bus name :1.276 [cockpit-bridge], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C.UTF-8)
Oct 03 21:44:28 carbon audit: BPF prog-id=65 op=LOAD
Oct 03 21:44:28 carbon audit: BPF prog-id=66 op=LOAD
Oct 03 21:44:28 carbon systemd[1]: Starting Hostname Service...
Oct 03 21:44:28 carbon audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 03 21:44:28 carbon systemd[1]: Started Hostname Service.
Oct 03 21:44:28 carbon audit[14330]: USER_CMD pid=14330 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/run/user/1000" cmd="validate" exe="/usr/bin/sudo" terminal=? res=failed'
Oct 03 21:44:28 carbon sudo[14330]:      gio : a password is required ; TTY=unknown ; PWD=/run/user/1000 ; USER=root ; COMMAND=validate
Oct 03 21:44:28 carbon systemd[1]: Starting Realm and Domain Configuration...
Oct 03 21:44:28 carbon systemd[1]: Starting Time & Date Service...
Oct 03 21:44:28 carbon audit: BPF prog-id=67 op=LOAD
Oct 03 21:44:28 carbon audit: BPF prog-id=68 op=LOAD
Oct 03 21:44:28 carbon audit: BPF prog-id=69 op=LOAD
Oct 03 21:44:28 carbon realmd[14336]: Loaded settings from: /usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Oct 03 21:44:28 carbon realmd[14336]: holding daemon: startup
Oct 03 21:44:28 carbon realmd[14336]: starting service
Oct 03 21:44:28 carbon realmd[14336]: connected to bus
Oct 03 21:44:28 carbon realmd[14336]: GLib-GIO: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
Oct 03 21:44:28 carbon realmd[14336]: released daemon: startup
Oct 03 21:44:28 carbon audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=realmd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 03 21:44:28 carbon systemd[1]: Started Realm and Domain Configuration.
Oct 03 21:44:28 carbon realmd[14336]: claimed name on bus: org.freedesktop.realmd
Oct 03 21:44:28 carbon realmd[14336]: client using service: :1.279
Oct 03 21:44:28 carbon realmd[14336]: holding daemon: :1.279
Oct 03 21:44:28 carbon systemd[1]: Started Time & Date Service.
Oct 03 21:44:28 carbon audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 03 21:44:32 carbon audit[14353]: USER_CMD pid=14353 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/run/user/1000" cmd="validate" exe="/usr/bin/sudo" terminal=? res=failed'
Oct 03 21:44:32 carbon sudo[14353]:      gio : a password is required ; TTY=unknown ; PWD=/run/user/1000 ; USER=root ; COMMAND=validate
Oct 03 21:44:32 carbon kernel: usb 1-9: reset full-speed USB device number 3 using xhci_hcd
Oct 03 21:44:42 carbon gnome-keyring-daemon[4830]: asked to register item /org/freedesktop/secrets/collection/Default_5fkeyring/1, but it's already registered
Oct 03 21:44:42 carbon gnome-keyring-daemon[4830]: asked to register item /org/freedesktop/secrets/collection/Default_5fkeyring/1, but it's already registered
Oct 03 21:44:42 carbon cockpit-bridge[14282]: /usr/bin/sudo: incorrect protocol: received invalid length prefix
Oct 03 21:44:42 carbon cockpit-askpass[14358]: couldn't write authorize message: Broken pipe
Oct 03 21:44:42 carbon cockpit-ws[14354]: sudo: no password was provided
Oct 03 21:44:42 carbon sudo[14354]: pam_unix(sudo:auth): conversation failed
Oct 03 21:44:42 carbon sudo[14354]: pam_unix(sudo:auth): auth could not identify password for [gio]
Oct 03 21:44:42 carbon audit[14354]: USER_AUTH pid=14354 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="gio" exe="/usr/bin/sudo" hostname=? addr=? terminal=>
Oct 03 21:44:44 carbon audit[14354]: USER_CMD pid=14354 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/run/user/1000" cmd=636F636B7069742D627269646765202D2D70726976696C65676564 exe="/usr/bi>
marusak commented 3 years ago

@mvollmer can you please take a look?

mvollmer commented 3 years ago 
1. Enable fingerprint auth

How do you do that exactly?

mvollmer commented 3 years ago

Oct 03 21:44:42 carbon cockpit-bridge[14282]: /usr/bin/sudo: incorrect protocol: received invalid length prefix

This means something unexpected has been inserted into stdout of sudo.

mvollmer commented 3 years ago 
1. Enable fingerprint auth

How do you do that exactly?

I could reproduce this bug with a laptop that has a fingerprint reader. I used GNOME Settings to add a fingerprint to my account on that laptop, and after that, Cockpit can't successfully run sudo anymore, with exactly the errors and journal entries that you report above.

I think there are two problems:

I'll investigate both a bit, with priority on the latter.

mvollmer commented 3 years ago

Sudo asks for a fingerprint even for remote sessions, such as when logging in via SSH.

https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/776779, open since 2011...

mvollmer commented 3 years ago
  • Cockpit trips over some unexpected output.

This is actually the expected "Swipe your finger across the fingerprint reader" message and the "Verification timed out" error, which I would expected to have gone to stderr.... hmm. But we are getting closer.

mvollmer commented 3 years ago

This is actually the expected "Swipe your finger across the fingerprint reader" message and the "Verification timed out" error, which I would expected to have gone to stderr....

Ok, sudo normally writes PAM messages to /dev/tty, but if it doesn't have a controlling terminal, it writes to stdout.

One option is for Cockpit to just ignore junk that comes before the first protocol message. Another is to give sudo a controlling tty.

marusak commented 1 year ago

@mvollmer any update on this with regards of https://github.com/cockpit-project/cockpit/pull/15293 ?