search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 102 forks source link

TaskId doesn't match for start and stop messages of accounting #93

Open KanagalakshmiGobiViswanathan opened 7 years ago

KanagalakshmiGobiViswanathan commented 7 years ago

Opened three ssh sessions using pam_tacplus.so library and observed that task ids are not matching in the start and stop messages.

Dump of start accounting messages

session#1      Got taskid=17774  for the user abc3

Jun 28 10:46:49 167.254.219.122 abc3        unknown 10.0.2.2        start           start_time=1496312841   task_id=17774   service=fujitsu-1finity-exec    protocol=ip

session#2     Got taskid=49387 for the user abc1

Jun 28 10:46:52 167.254.219.122 abc1        unknown 10.0.2.2        start           start_time=1496312845   task_id=49387   service=fujitsu-1finity-exec    protocol=ip

session#3     Got taskid=41556  for the user abc2

Jun 28 10:46:56 167.254.219.122 abc2        unknown 10.0.2.2        start           start_time=1496312848   task_id=41556   service=fujitsu-1finity-exec    protocol=ip

Now i closed the ssh session in the order of abc3, abc1 and abc2 But i observe same task_id 41556 for all stop messages.

Dump of stop accounting messages:

Jun 28 10:47:05 167.254.219.122 abc3        unknown 10.0.2.2        stop            stop_time=1496312858    task_id=41556   service=fujitsu-1finity-exec    protocol=ip
Jun 28 10:47:10 167.254.219.122 abc1        unknown 10.0.2.2        stop            stop_time=1496312862    task_id=41556     service=fujitsu-1finity-exec    protocol=ip
Jun 28 10:47:17 167.254.219.122 abc2        unknown 10.0.2.2        stop            stop_time=1496312870    task_id=41556   service=fujitsu-1finity-exec    protocol=ip

Expected : taskid for abc3 is to be 17774 but it shows task_id as 41556

KanagalakshmiGobiViswanathan commented 7 years ago

Awaiting for the response.

gollub commented 7 years ago

In the PAM module there is a global variable task_id which get set by the method pam_sm_open_session: https://github.com/jeroennijhof/pam_tacplus/blob/master/pam_tacplus.c#L715

... to a random value.

Depending on the application using this PAM module (e.g. sshd) there will be only one instance of the pam_tacplus in memory. So every open PAM session (e.g. ssh login) might override the task_id with another random value.

Requires individual research on each PAM-enabled application.

pprindeville commented 7 years ago

I'm more current on the Tacacs+ protocol than the PAM API, so someone else will need to answer this. Can we store the task_id in a struct pam_data hanging off pamh->data?

gollub commented 7 years ago

@KanagalakshmiGobiViswanathan , which SSH daemon implementation is used? I have doubt that openssh is used here.

daveolson53 commented 7 years ago

In my version, I added a global session_taskid, set it in pam_sm_open_session after task_id is initialized, and set task_id from session_taskid in pam_sm_close_session, so they match in the accounting record. That seemed to resolve the problem for me and our customers.

I don't see a need to stash it off the pam handle. It doesn't matter how many copies of this library are in use, what matters is that for each use, the open/close id matches in the accounting start/stop for each instance.