Yubico Forum

Re: pam_yubico on 64 bit?

2009-03-24T15:01:30+01:00

Hmm... You may want to malloc an integer to store the retval before setting with pam_set_data. The current scope of retval will get recollected when that function returns. When the data is retrieved that location is probably is use by something else or it could segfault. We should malloc a dynamic memory location and recollect with a 'cleanup' function.

Statistics: Posted by fergus — Tue Mar 24, 2009 3:01 pm

Re: pam_yubico on 64 bit?

2009-03-24T14:41:04+01:00

cmoates wrote:

Here's a diff which I believe fixes the problem. I've tested it on Ubuntu 8.10 64 bit as well as Ubuntu 8.10 32 bit. Anyone else care to try it out?

Hi! I applied a slightly different patch, see:

http://code.google.com/p/yubico-pam/sou ... ail?r=141#

Please check it. I'll likely do another 1.13 release with this later today.

/Simon

Statistics: Posted by Simon — Tue Mar 24, 2009 2:41 pm

Re: pam_yubico on 64 bit?

2009-03-12T12:32:16+01:00

I uploaded a patch to the pam_yubico google page that should fix most of the things I was having issues with. It now checks the password to make sure its long enough to contain an OTP before it splits it. It also allows users that don't have a yubikey id associated with them to login. This patch also includes the 64-bit patch above. Feedback is appreciated.

Issue report -> http://code.google.com/p/yubico-pam/issues/detail?id=12
Direct link -> http://yubico-pam.googlecode.com/issues/attachment?aid=5317245680863813985&name=pam_yubico-1.11updates2.patch

Statistics: Posted by fergus — Thu Mar 12, 2009 12:32 pm

Re: pam_yubico on 64 bit?

2009-03-12T07:11:33+01:00

Nice, good find!

I can see what you're talking about:

Code:

  token_otp_with_password = (char *) password;
  password_len = strlen (token_otp_with_password);

  /* Getting Token value and SSH password */
  [color=#FF0000]strncpy[/color] ((char *) token_otp,
      token_otp_with_password + (password_len - TOKEN_LEN), TOKEN_LEN);

Might this also cause possible security issues? Not sure if this is really exploitable, but since it's in login code, I'm kinda wary.

Statistics: Posted by TrinitronX — Thu Mar 12, 2009 7:11 am

Re: pam_yubico on 64 bit?

2009-03-10T15:38:13+01:00

I found some time to browse through the source and found that the issue I describe above is not 64-bit related. This code makes the assumption that all users have a yubikey ID associated with their accounts. Additionally, It never checks to see if the user has an associated ID or that the length of the entered password is long enough to contain a OTP before it splits it up into pieces. In my scenario, a user without a yubikey, enters their password and the pam module attempts to split it into the base password and OTP pieces. Since the password is less that 44 chars the code attempts to strncpy from an invalid memory location. We should add some sanity checks to the code to make sure the given password is greater than 44 chars before attempting to parse it and also check to see if the user has an associated yubikey ID before verifying against it. This would also lead to a decision of how to handle accounts without a yubikey ID. Do they succeed or fail? We may need another top level option 'require_yubikey' or something to specify how to handle that case. Not sure how much time I'll have but if I can get a patch together i'll post it.

Statistics: Posted by fergus — Tue Mar 10, 2009 3:38 pm

Re: pam_yubico on 64 bit?

2009-02-20T21:01:26+01:00

I've not run across the scenario you describe, but I've done very limited testing on Ubuntu. I'll add that to my test plans.

Statistics: Posted by cmoates — Fri Feb 20, 2009 9:01 pm

Re: pam_yubico on 64 bit?

2009-02-20T13:18:31+01:00

Ok, I made another attempt at getting the pam plugin to work with ubuntu 8.04 64 bit. By using the above patch I was able to get farther this time but came across another issue. If I attempted to login with a user with an associated yubikey ID it would work correctly. I would enter by password, then press my yubikey button and the ssh session would begin. I then tried to login with a user that doesn't have an associated yubikey ID. After entering the users password, I would experience a segfault on the server side. I haven't had time to debug this further, but perhaps there are a few more areas in the code that need to get massaged for 64 bit compatibility. As I collect more information I will post updates.

- pam_yubico v1.11 with the above two line modifications.
- /etc/pam.d/sshd files is configured to match the above listing
- /etc/ssh/sshd_config has the two options in the above listing
- Using system wide yubikey id file in /etc

richard

Statistics: Posted by fergus — Fri Feb 20, 2009 1:18 pm

Re: pam_yubico on 64 bit?

2009-02-18T17:04:51+01:00

Due to time constraints, we were not able to include the changes suggested by cmoates to the new pam module version 1.11. We will include them to the next release of the PAM module.

Meanwhile, we have tested the Yubico PAM configuration on following 64 bit test environment with the code changes suggested by cmoates and it worked fine:

Code:

1) OS Version: Debian GNU/Linux 5.0.0 _Lenny_ - Official amd64
2) Kernel Version: Linux Kernel version 2.6.26-1-amd64
3) OpenSSH Version: OpenSSH_5.1p1 Debian-5
4) Yubico PAM Version: pam_yubico-1.11
5) "/etc/pam.d/sshd":
# PAM configuration for the Secure Shell service
# Administrative Level

auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

6) "/etc/ssh/sshd_config" settings:

ChallengeResponseAuthentication no
PasswordAuthentication yes

Statistics: Posted by network-marvels — Wed Feb 18, 2009 5:04 pm

Re: pam_yubico on 64 bit?

2009-02-17T23:14:40+01:00

I've not had as much time as I'd like to work on this (it's my busy season at work) but we built RPM's for several Fedora and CentOS distros, and while testing the other night on Fedora 10, x86_64, we found that, without my patches, it would seg fault.

HOWEVER, if we changed "ChallengeResponseAuthentication" in /etc/ssh/sshd_config to "yes", then it would work. We didn't test this extensively, but we did determine that it was contributing to the problem. Note that the current instructions explicitly tell you to set this to "no" and so I'm not sure what other ill effects might come from this.

In 1.11, there was a bunch of code added, and so I'm not surprised that there might be a new issue. I hope to work on this more soon, but it might be several weeks before my schedule clears up enough to really dig in.

Many thanks to my friend Todd Zullinger, who has contributed a significant amount of effort to helping me, in spite of the fact that he doesn't own a Yubikey. (I'm gonna owe him one though!)

Statistics: Posted by cmoates — Tue Feb 17, 2009 11:14 pm

Re: pam_yubico on 64 bit?

2009-02-17T20:49:02+01:00

What version of pam_yubico where you using? I just tried your changes on version 1.11 and I still got a segfault. I am wondering if the new version needs some more updates. It was also late last night when I tried it. I'll give it another shot when I am home, but I think the issue is still there, at least with version 1.11.

richard

Statistics: Posted by fergus — Tue Feb 17, 2009 8:49 pm

Re: pam_yubico on 64 bit?

2009-02-08T14:32:21+01:00

Hi cmoates,

I tried your patch on RHEL5 64 bit and it worked.

Much appreciated.

Cheers
Lucien

Statistics: Posted by lucienboland — Sun Feb 08, 2009 2:32 pm

Re: pam_yubico on 64 bit?

2009-02-07T19:56:58+01:00

Here's a diff which I believe fixes the problem. I've tested it on Ubuntu 8.10 64 bit as well as Ubuntu 8.10 32 bit. Anyone else care to try it out?

Code:

Index: pam_yubico.c
===================================================================
--- pam_yubico.c   (revision 124)
+++ pam_yubico.c   (working copy)
@@ -397,7 +397,7 @@
     }
   if (debug)
     D (("done. [%s]", pam_strerror (pamh, retval)));
-  pam_set_data (pamh, "yubico_setcred_return", (void *) retval, NULL);
+  pam_set_data (pamh, "yubico_setcred_return", (void *) (uintptr_t)retval, NULL);
 
   return retval;
 }
@@ -406,7 +406,7 @@
 pam_sm_setcred (pam_handle_t * pamh, int flags, int argc, const char **argv)
 {
   int retval;
-  int auth_retval;
+  uintptr_t auth_retval;
 
   D (("called."));

Statistics: Posted by cmoates — Sat Feb 07, 2009 7:56 pm

Re: pam_yubico on 64 bit?

2009-02-07T15:03:56+01:00

We're seeing the exact same behaviour as you are describing on our Redhat Enterprise Linux 5.3 64 bit systems.

I will test RHEL5 32-bit early next week and judging by your table of results so far suspect it will succeed without seg faulting.

Hopefully we can sort this out soon.

Cheers

Statistics: Posted by lucienboland — Sat Feb 07, 2009 3:03 pm

pam_yubico on 64 bit?

2009-02-07T05:36:28+01:00

I want to hopefully use yubikeys for SSH logins, among other miscellaneous things, so I immediately jumped at the pam_yubico code. At first, I was having no success at all, but further testing shows that my problem seems to be limited to 64 bit Linux distros. Is anyone else using this successfully on a 64 bit system?

Here's what I am seeing: Authentication succeeds, but immediately after that, whatever app is using pam segfaults. I've tried to get backtraces but not much luck yet. I'm still gathering more information but thought I'd throw this out there, in hopes I don't have to dig all the way down this rabbit hole.

Tested so far:

Fedora 9 32 bit: Works
Debian Lenny 32 bit: Works
Ubuntu 8.10 32 bit: Works
Ubuntu 8.10 64 bit: Fails (seg faults)
Centos 5.2 64 bit: Fails (seg faults)
Fedora 10 64 bit: Fails (seg faults)

Updated to include Fedora 10 64 bit testing results.

Statistics: Posted by cmoates — Sat Feb 07, 2009 5:36 am