Open 0x010C opened 3 months ago
Thanks for bringing this to our attention. This is indeed a bug in pam_interactive, not a configuration error on your part.
The fix would be to ensure that the username being fed to PAM matches the username which is being authenticated with iRODS.
We will try to fix it as soon as we can. As a reminder, this plugin has not been officially released, so it may be slow going for the severity level.
@ll4strw - Just giving you a notification of this issue. We do not think this is a problem with the deviceauthgrant module, but want you to be aware of its existence.
@alanking @0x010C thanks for the heads-up. Indeed, I see this is a problem with the pam plugin.
Glancing at the code, a possible fix for this issue would involve passing the irods username to the pam stack so that pam can set PAM_USER to match the irods username. This would solve two problems: 1. getting prompted for a username twice, 2. force pam to use the provided irods username preventing spoofing. Any ideas?
@ll4strw I've compiled your commit and my test-cases are working as expected now, thanks!
I haven't run it - but... this solution still prompts for the username once?
So, in Test-case 4... 'userB' is given as the answer to the prompt... and then fails to get past the plugin because of the new confirmation check? Because 'userB' doesn't match the environment's 'userA'?
No, there is no prompts for the username anymore. In my case (using pam_deviceauthgrant) it looks like this now:
$ iinit
Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH
After login press Enter
From what I see there is only two cases left, both working as I expect :
Oh, even better. Thanks for the confirmation!
I haven't run it - but... this solution still prompts for the username once?
So, in Test-case 4... 'userB' is given as the answer to the prompt... and then fails to get past the plugin because of the new confirmation check? Because 'userB' doesn't match the environment's 'userA'?
@trel If a user does not set a username in their irods env file, then they will be prompted Enter your irods user name:
. The input value will set PAM_USER. If a user has a pre-set irods username in their env, that value will be copied into PAM_USER. The pam module is then free to do whatever it wants with that PAM_USER.
Got it. I had missed the if/else case upon inspection.
Good morning,
I am currently testing this plugin (thanks for that!) to delegate the authentication of my users to an SSO (keycloak) via the OIDC protocol.
My tests worked well with pam_deviceauthgrant (but also with PAM-OIDC-Device-Flow), however, I came across a strange behavior where I was able to log into another user's account (see test-case 4 below).
Here are my configuration files:
Server-side configuration
/etc/irods/server_config.json
/etc/pam.d/irods
Client-side configuration
~/.irods/irods_environment.json
What I have done
Successful test-cases (for information and context)
### Test-case 1 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userA". When the SSO login-page opens, log-in as "userA". ```shell $ iinit login: userA Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter $ ils /myZone/home/userA: testfile.json ``` **Expected behaviour:** Be loged-in as userA **Result:** :heavy_check_mark: Loged-in as userA ### Test-case 2 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userB". When the SSO login-page opens, log-in as "userA". ```shell $ iinit login: userB Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter Level 0: Error occurred while authenticating user [userA] [CAT_INVALID_AUTHENTICATION: authentication flow completed without success ] [ec=-826000] ``` **Expected behaviour:** Login error **Result:** :heavy_check_mark: Login error ### Test-case 3 Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userA". When the SSO login-page opens, log-in as "userB". ```shell $ iinit login: userA Login at https://my.sso.domain.name/realms/test/device?user_code=ABCD-EFGH After login press Enter Level 0: Error occurred while authenticating user [userA] [CAT_INVALID_AUTHENTICATION: authentication flow completed without success ] [ec=-826000] ``` **Expected behaviour:** Login error **Result:** :heavy_check_mark: Login error
Test-case 4
Set "userA" in irods_environment.json. When prompted for login by pam_interactive, type "userB". When the SSO login-page opens, log-in as "userB".
Expected behaviour: Be loged-in as userB or login error Result: :red_circle: Loged-in as userA
In other words, I logged into userA account using userB credentials.
I'm not sure if it's a configuration error on my part (in this case sorry for the inconvenience) or a pam_interactive bug, but in the latter case it's a major security issue.
Thanks and best regards