Logging in with the same PAM account from two browsers/computers

[jubajuba]

When I attempt to log on to the same account from two browsers/computers I'm constantly redirected to the login screen. I've set GateOne up to use PAM. Log from loginattemt: [I 121112 04:17:22 web:1447] 302 GET / (123.123.123.123) 0.48ms [W 121112 04:17:22 web:1447] 401 GET /auth?next=%2F (123.123.123.123) 0.39ms [W 121112 04:17:30 web:1447] 401 GET /auth?next=%2F (123.123.123.123) 3275.24ms [W 121112 04:17:42 web:1447] 401 GET /auth?next=%2F (123.123.123.123) 3244.55ms

I'm trying out GateOne, so I've not purchased any licence.

[liftoff]

I just tested this and I can't reproduce the problem. Having said that, it doesn't sound like a PAM-specific problem. It might be a cookie issue. Did you login to Gate One from one of those browsers before switching the authentication method to PAM? Gate One should automatically detect this situation and display a (ridiculously) detailed dialog explaining what could've caused the problem. When you click OK to that dialog it's supposed to blow away the cookie and force you to re-login.

I thought I fixed all the bugs associated with that, "I changed the auth setting or bad cookie" situation (and all the paths that can lead to it) but I might have missed one. Can you tell me which version of Gate One you're running?

Also, try this: Change your cookie_secret in the server.conf file. That should force all users to re-auth and all cookies to be re-created.

[liftoff]

Have you got it working? If I don't hear back from you soon I'm going to close this issue.

[jubajuba]

Hi, thanks for the reminder. I've been swamped with other tasks for a while now, both on work and at home. I'll try your suggestions as soon as I can and give feedback.

[jubajuba]

I'm running Gateone 1.1 (gateone_1.1-1_all.deb). Today I accidentally closed the browser I was running Gateone in (Google Chrome stable), after starting the browser again I got the same error as before, but now I'm not logged in to any session in Gateone. I've tried changing the cookie_secret and deleting the cookies in my browser and removing the gateone/users//session file and restarting the server. I've also checked that the session_dir is empty and no pid or sock file exists. Please let me know what more info you need, I'd be happy to do testing/debugging for you.

[liftoff]

Can you paste your server.conf? Also, what browser/OS are you using?

[jubajuba]

I'm using Windows 7, Chrome stable and Firefox stable. Gateone runs on a Ubuntu 12.10 install. Here's my server.conf:

# -*- coding: utf-8 -*-
locale = "nb_NO"
pam_service = "login"
syslog_facility = "daemon"
syslog_host = None
enable_unix_socket = False
port = 443
uid = "1001"
url_prefix = "/"
user_dir = "/opt/gateone/users"
dtach = True
certificate = "/opt/gateone/pallas.pem"
log_to_stderr = False
session_logs_max_age = "30d"
gid = "1001"
pid_file = "/var/run/gateone.pid"
sso_realm = None
cookie_secret = "M2UwZWVkNDMwODUGarbleYWIwNTI5YTkyMzMxYTJhGarble"
pam_realm = "my.host"
sso_service = "HTTP"
https_redirect = True
syslog_session_logging = False
disable_ssl = False
debug = False
session_dir = "/tmp/gateone"
auth = "pam"
address = ""
api_timestamp_window = "30s"
log_file_num_backups = 10
logging = "info"
embedded = False
origins = "https://my;https://my.host"
session_logging = True
unix_socket_path = "/var/run/gateone.sock"
ssl_auth = "none"
log_file_max_size = 104857600
session_timeout = "5d"
command = "/opt/gateone/plugins/ssh/scripts/ssh_connect.py -S '/tmp/gateone/%SESSION%/%SHORT_SOCKET%' --sshfp -a '-oUserKnownHostsFile=%USERDIR%/%USER%/ssh/known_hosts'"
ca_certs = None
js_init = ""
keyfile = "/opt/gateone/my.host.key"
log_file_prefix = "/opt/gateone/logs/webserver.log"

[liftoff]

I recently added a new PAM module to Gate One that negates the need to use PyPAM (or python-pam) and also made some changes that may have corrected the problem you're experiencing. Can you grab the latest code from Github and give it a try?

[jubajuba]

I did a

git clone git://github.com/liftoff/GateOne.git

as root in a new gateone folder. I copied my SSL key, user dir and config, created the logs dir and recursive chown-ed the logs, plugins, static and users folders to the user that runs gateone. I upgraded tornado (using pip) from 2.3 to 2.4.1. I then started GateOne with the same result. I added http://localhost https://localhost http://127.0.0.1 https://127.0.0.1 to the origins variable in server.conf and restarted gateone. Same result. Then tried removing my user in the users folder and tried again, same result. The user I tried to log on with was not created in the users folder. Finally I did a reboot and tried once more, same result as you see from the webserver.log except below.

[I 121213 11:29:36 gateone:3183] Gate One 1.1.0
[I 121213 11:29:36 gateone:3184] Tornado version 2.4.1
[I 121213 11:29:36 gateone:3214] Connections to this server will be allowed from the following origins: 'https://my https://my.host http://localhost https://localhost http://127.0.0.1 https://127.0.0.1'
[I 121213 11:29:36 gateone:2569] Using pam authentication
[I 121213 11:29:36 gateone:2685] Loaded plugins: bookmarks, convenience, example, help, logging, logging_plugin, mobile, notice, playback, ssh
[I 121213 11:29:36 gateone:3351] http://*:80/ will be redirected to...
[I 121213 11:29:36 gateone:3355] Listening on https://*:443/
[I 121213 11:29:36 gateone:3361] Process running with pid 966
[I 121213 11:29:36 utils:1194] Running as user/group, "gateone/gateone" with the following supplemental groups: tty
[I 121213 11:32:25 web:1462] 302 GET / (123.123.123.123) 0.75ms
[W 121213 11:32:25 web:1462] 401 GET /auth?next=%2F (123.123.123.123) 0.33ms
[W 121213 11:32:31 web:1462] 401 GET /auth?next=%2F (123.123.123.123) 3166.33ms

[liftoff]

I can't believe I didn't notice this before... You're running Gate One as user/group gateone/gateone. If you're not running Gate One as root you'll only be able to authenticate the user that Gate One is running under: gateone.

This is a limitation of PAM and not Gate One... Most applications get around it by keeping a process running as root and authenticate users via that process (auth by proxy, essentially). I was thinking about doing something like this in Gate One but it hasn't come up much (this is only the second time I've seen it).

So to summarize: If you want to use PAM authentication you'd best run Gate One as root or only run it as the user you're going to be logging in with.

In the mean time I'm going to add a check in gateone.py that will display a warning message if the user has Gate One configured to run as non-root with auth='pam'.

[jubajuba]

Of course! I'm so used to services starting as root via init scripts and then dropping to a system user that I didn't think of this at all...

[jubajuba]

I've now changed GateOne to run as root, works as a charm! Thanks for excellent support!

[liftoff]

OK great. I'm going to close this issue.