I wanted to make pam_interactive look and behave a lot like pam_password just by using PAM modules. Or at least see whether it is possible with little or no changes to the existing plugin.
pam_interactive uses the irods PAM stack, so it should be using it here. After disabling the SSL checks (see #16), I was seeing some promising prompts, but I was getting the following error when I tried to authenticate as the iRODS user alan using the PAM user alan's credentials:
$ iinit
Enter your iRODS user name: alan
Password:
Level 0: Error occurred while authenticating user [alan] [CAT_INVALID_AUTHENTICATION: authentication flow completed without success
] [ec=-826000]
I then tailed /var/log/auth.log and saw the following messages:
After some searching around, I ran across somebody who had a similar problem in their own application and asked about it in a linux-pam/linux-pam GitHub issue. The response from the one of the maintainers shed some light on to what was happening: https://github.com/linux-pam/linux-pam/issues/112#issuecomment-491171684
It seems that the auth checking executable leveraged by the PamHandshake session was not able to authenticate the user alan because it is being run as the iRODS service account user irods. You can see this is the case from the auth.log error message above which says "uid=999", and we have this in /etc/passwd:
Following the clues in the linux-pam issue above, I set /etc/shadow to be world readable, and the authentication worked because the irods user was now able to check the entered password against the password database. Obviously, this is not a viable solution because /etc/shadow is not supposed to be readable by everybody. We could put irods in the shadow group, or make some other group-based solution for this, but that would require additional administrative changes, so I took another look around for solutions.
Comparing with pam_password
I wanted to understand how pam_password is able to use the same PAM stack (irods) and see success while pam_interactive got an error. This led me eventually to take a look at the executable installed by this plugin's packages:
The setuid bit is set for the u field on irodsPamAuthCheck, but not on pam_handshake_auth_check. I tried changing the setuid bit to match and everything started working as expected. Here is the command that I ran to get the permissions to match irodsPamAuthCheck:
Notice the prompt that I shared above when attempting to authenticate with the irods PAM stack:
$ iinit
Enter your iRODS user name: alan
Password:
The pam_password prompt instead says:
$ iinit
Enter your iRODS user name: alan
Enter your current PAM password:
I don't think this is an issue because the prompt in the case of pam_password is being fed directly from the plugin whereas the prompt for pam_interactive is coming from the PAM module itself. But if we wanted an exact drop-in replacement for pam_password, we might have to consider a module which displays the "Enter your current PAM password:" prompt instead of just "Password: ".
What I tried to do
I wanted to make
pam_interactivelook and behave a lot likepam_passwordjust by using PAM modules. Or at least see whether it is possible with little or no changes to the existing plugin.I created the
irodsPAM stack as described in our documentation here: https://docs.irods.org/4.3.2/plugins/pluggable_authentication/#pam-pluggable-authentication-modulepam_interactiveuses theirodsPAM stack, so it should be using it here. After disabling the SSL checks (see #16), I was seeing some promising prompts, but I was getting the following error when I tried to authenticate as the iRODS useralanusing the PAM useralan's credentials:I then tailed
/var/log/auth.logand saw the following messages:Finding some success
After some searching around, I ran across somebody who had a similar problem in their own application and asked about it in a
linux-pam/linux-pamGitHub issue. The response from the one of the maintainers shed some light on to what was happening: https://github.com/linux-pam/linux-pam/issues/112#issuecomment-491171684It seems that the auth checking executable leveraged by the
PamHandshakesession was not able to authenticate the useralanbecause it is being run as the iRODS service account userirods. You can see this is the case from theauth.logerror message above which says "uid=999", and we have this in/etc/passwd:Following the clues in the
linux-pamissue above, I set/etc/shadowto be world readable, and the authentication worked because theirodsuser was now able to check the entered password against the password database. Obviously, this is not a viable solution because/etc/shadowis not supposed to be readable by everybody. We could putirodsin theshadowgroup, or make some other group-based solution for this, but that would require additional administrative changes, so I took another look around for solutions.Comparing with
pam_passwordI wanted to understand how
pam_passwordis able to use the same PAM stack (irods) and see success whilepam_interactivegot an error. This led me eventually to take a look at the executable installed by this plugin's packages:I compared the equivalent authentication check program shipped with the
pam_passwordplugin:The
setuidbit is set for theufield onirodsPamAuthCheck, but not onpam_handshake_auth_check. I tried changing thesetuidbit to match and everything started working as expected. Here is the command that I ran to get the permissions to matchirodsPamAuthCheck:After that, the authentication succeeded using
alan's PAM credentials.So, I think we should set
setuidon thepam_handshake_auth_checkexecutable like we do forirodsPamAuthCheckhere: https://github.com/irods/irods/blob/7b8b97a1966bce4f18bd863997ca977a07485e5b/server/auth/CMakeLists.txt#L21-L28Bonus Question
Notice the prompt that I shared above when attempting to authenticate with the
irodsPAM stack:The
pam_passwordprompt instead says:I don't think this is an issue because the prompt in the case of
pam_passwordis being fed directly from the plugin whereas the prompt forpam_interactiveis coming from the PAM module itself. But if we wanted an exact drop-in replacement forpam_password, we might have to consider a module which displays the "Enter your current PAM password:" prompt instead of just "Password: ".