search

google / google-authenticator-libpam

Apache License 2.0
1.76k stars 281 forks source link

Syslog tag is longer than 32 characters #172

Closed pawelbien closed 4 years ago

pawelbien commented 4 years ago

Google authenticator PAM module sends messages to log, e.g. sshd(pam_google_authenticator)[32096]: Accepted google_authenticator for pawel

The relevant syslog RFCs 3164 and 5424 limit the syslog tag to 32 characters max. Longer are malformed.

The length of the MODULE_NAME field (pam_google_authenticator) means that the syslog tag after adding the PID is longer than 32 characters. In the example above, 37 characters: sshd(pam_google_authenticator)[32096]

Locally processed syslog messages are usually handled correctly. The problem starts when sending to external syslog servers. The syslog tag field is truncated to 32 characters and takes the form e.g.

sshd(pam_google_authenticator)[3

Could the syslog tag be shortened to something like this: sshd(pam_ga)[32096] or sshd(pam_google_auth)[32096]

ThomasHabets commented 4 years ago

Hmm. You probably know better (and are actually seeing the truncation), but isn't the RFC saying the tag excluding pid is 32 characters?

The TAG is a string of ABNF alphanumeric characters that MUST NOT exceed 32 characters. Any non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field.

https://tools.ietf.org/html/rfc3164#section-5.3 & https://tools.ietf.org/html/rfc3164#section-4.1.3

pawelbien commented 4 years ago

Good point. The fact is, truncating takes place. I need more research with rsyslog. So let's leave it for now.

ThomasHabets commented 4 years ago

To be clear, I definitely want to fix this. I just want to make sure it's fixed right (and fixed in the right place. E.g. is it actually rsyslog or something incorrectly truncating?). And am not saying that I read the RFCs right.

Let me know what you find.

pawelbien commented 4 years ago

According to RFC3164 “Any non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character of the CONTENT field”. But rsyslog consider it part of TAG field, and MSG begins after “: “ characters. We can debate this, but changing this behavior would be huge for rsyslog. I do not expect to have any effect on this. And basically in my opinion this implementation makes sense despite a slight deviation from RFC.

There are two options:

  1. Shortening the pam_google_authenticator syslog tag.
  2. Changing the standard rsyslog forwarding template in any system where we use Google Authenticator PAM. See: https://www.rsyslog.com/sende-messages-with-tags-larger-than-32-characters/
ThomasHabets commented 4 years ago

Yeah, sounds good. I don't mind working around other implementations, as long as I understand why.

Thanks for your research!