Yubico Forum
https://forum.yubico.com/

radiusd segmentation fault with pam_yubico module on CentOS
https://forum.yubico.com/viewtopic.php?f=3&t=177		 Page 1 of 1
Author:  tristam [ Wed Sep 03, 2008 2:19 pm ]
Post subject:  radiusd segmentation fault with pam_yubico module on CentOS
Hello,

After the second or third validation attempt from our freeradius server with the pam_yubico module the server segfaults. We have this with version 1.6 as well as the 1.7
This is the radiusd -X output
Code:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 <snip>
main: log_file = "/var/log/radius/radius.log"
  <snip>
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Pam
 pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
<snip>
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm

<snip>
 Ready to process requests.
rad_recv: Access-Request packet from host 192.168.200.6:34691, id=56, length=87
        User-Name = "vvv"
        User-Password = "catflcvihlerrfbhkidvgbguednnheffccdtrfbkabvf"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "vvv", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 141
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type PAM
auth: type "PAM"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string <radiusd> for pam.conf lookup
[pam_yubico.c:pam_sm_authenticate(217)] called.
[pam_yubico.c:pam_sm_authenticate(218)] flags 0 argc 2
[pam_yubico.c:pam_sm_authenticate(220)] argv[0]=id=237
[pam_yubico.c:pam_sm_authenticate(220)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(221)] id=237
[pam_yubico.c:pam_sm_authenticate(222)] debug=1
[pam_yubico.c:pam_sm_authenticate(223)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(224)] authfile=(null)
[pam_yubico.c:pam_sm_authenticate(235)] get user returned: vvv
[pam_yubico.c:pam_sm_authenticate(245)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(275)] conv returned: cutflcvihlerrfbhkidvgbguednnheffccdtrfbkebvf
[pam_yubico.c:pam_sm_authenticate(321)]  Token is : catflcvihlerrfbhkidvgbguednnheffccdtrfbkabvf and password is
[pam_yubico.c:pam_sm_authenticate(322)]  Token ID is: cutflcvihler
[pam_yubico.c:check_user_token(103)]  /home/vvv/.yubico/authorized_yubikeys file does not exists.
[pam_yubico.c:pam_sm_authenticate(344)] Invalid Token for user
[pam_yubico.c:pam_sm_authenticate(377)] done. [Error in service module]
pam_pass: function pam_authenticate FAILED for <vvv>. Reason: Authentication failure
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 56 to 192.168.200.6 port 34691
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 56 with timestamp 48be81f0
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.200.6:34691, id=89, length=87
        User-Name = "vvv"
        User-Password = "catflcvihlerrfbhkidvgbguednnheffccdtrfbkabvf"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "vvv", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry DEFAULT at line 141
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type PAM
auth: type "PAM"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
pam_pass: using pamauth string <radiusd> for pam.conf lookup
[pam_yubico.c:pam_sm_authenticate(217)] called.
[pam_yubico.c:pam_sm_authenticate(218)] flags 0 argc 2
[pam_yubico.c:pam_sm_authenticate(220)] argv[0]=id=237
[pam_yubico.c:pam_sm_authenticate(220)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(221)] id=237
[pam_yubico.c:pam_sm_authenticate(222)] debug=1
[pam_yubico.c:pam_sm_authenticate(223)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(224)] authfile=(null)
[pam_yubico.c:pam_sm_authenticate(235)] get user returned: vvv
[pam_yubico.c:pam_sm_authenticate(245)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(275)] conv returned: catflcvihlerrfbhkidvgbguednnheffccdtrfbkabvf
Segmentation fault


As you can see the last output is debug info from the pam_yubico module.

Any suggestions?

BTW I cannot find documentation on the authorized_yubikeys file. Where do i define the location of a central file and what is its structure?
Author:  Kurt [ Fri Sep 19, 2008 8:59 am ]
Post subject:  Re: radiusd segmentation fault with pam_yubico module on CentOS
Please refer the following wiki link which demonstrates the use of modified Yubico PAM module for two factor authentication support along with sample configuration and test cases:

http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM

This wiki also provides structures of various files required for configuration of Yubico PAM module.
Author:  network-marvels [ Wed Nov 19, 2008 2:19 pm ]
Post subject:  Re: radiusd segmentation fault with pam_yubico module on CentOS
    Please refer below documentation for configuring FreeRADIUS with two factor authentication using YubiKey:

    • About this document:

    The purpose of this document is to guide readers through the configuration steps to enable two factor authentication using YubiKey and RADIUS server on Linux platform. This document assumes that the reader has advance knowledge and experience in Linux system administration, particularly how to configure PAM authentication mechanism on a Linux platform.

    Although this configuration guide focuses on configuration of radiusd demon for local authentication using the custom database (we have used /etc/passwd), radiusd can be configured easily to use centralized LDAP database for authentication or any popular directory service by configuring appropriate PAM modules in radiusd pam configuration file.

    • Prerequisites:

    Successful configuration of the Yubico PAM module to support two factor authentication for RADIUS requires following prerequisites:


    • Configuration:

    We assume that freeRADIUS is already installed on the server.

      A) Configuration of freeRADIUS server to support PAM authentication:

        1) Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make following changes:

          a) Change user and group to “root” to provide the root privileges to radiusd demon so that it can call and use pam modules for authentication. NOTE: Generally, it is not a good security practice to assign root privileges to a user for a demon. However, since use of PAM requires root privileges, this is a mandatory step here.

          b) In “authenticate” section uncomment pam to direct radiusd demon to use pam module for authentication

        2) Edit the client configuration file “/etc/raddb/clients.conf” to add sample client for testing

        3) Edit the user configuration file “/etc/raddb/users” to make following change:

        Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using pam modules for user authentication

      B) Installation of pam_yubico module:

      Build instructions for pam_yubico are available in the README:

      http://code.google.com/p/yubico-c/sourc ... unk/README

      C) Configuration of pam_yubico module:

        a) Configuration for user and YubiKey PublicID mapping:
        There are two ways of user and YubiKey PublicID (token ID) mapping. It can be either done at administrative level or at individual user level.

          1) Administrative Level:

          In Administrative level, system administrators hold right to configure the user and YubiKey PublicID mapping. Administrators can achieve this by creating a new file that contains information about the username and the corresponding PublicIDs of YubiKey(s) assigned. This file contains user name that is allowed to connect to the system using RADIUS and the PublicID of the YubiKey(s) assigned to that particular user. A user can be assigned multiple YubiKeys and this multi key mapping is supported by this file. However, presently there is no logic coded to detect or prevent use of same YubiKey ID for multiple users.

          Each record in the file should begin on a new line. The parameters in each record are separated by “:” character similar to /etc/passwd.
          The contents of this file are as follows:

          <user name>:<YubiKey PublicID>:<YubiKey PublicID>: ….
          <user name>:<YubiKey PublicID >:<YubiKey PublicID>:…..

          e.g.:

          paul:indvnvlcbdre:ldvglinuddek simon:uturrufnjder:hjturefjtehv kurt:ertbhunjimko

          The mapping file must be created/updated manually before configuration of Yubico PAM module for RADIUS authentication.

          • Configuration of modified pam_yubico.so module at administrative level:

            Append the following line to the beginning of /etc/pam.d/radiusd file:
            auth required pam_yubico.so id=16 debug authfile=<absolute path of the mapping file>

            After the above configuration changes, whenever a user connects to the server using any RADIUS client, the PAM authentication interface will pass the control to Yubico PAM module. The Yubico PAM module first checks the presence of authfile argument in PAM configuration. If authfile argument is present, it parses the corresponding mapping file and verifies the username with corresponding YubiKey PublicID as configured in the mapping file. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it reports failure. If authfile argument is present but the mapping file is not present at the provided path PAM module reports failure. After successful verification of OTP Yubico PAM module from the Yubico authentication server, a success code is returned.

          2) User Level:

          Although, user level configuration of pam_yubico is possible, this might not be a desired configuration option in case of radisud demon in most enterprise.

      D) Configuration of selinux policy to create exception for radiusd demon:

      Local effective selinux policy must be updated to provide sufficient privileges to radiusd demon on system resources. Please follow the steps below to configure effective selinux policy for radiusd demon:

        1) Start the radiusd demon
        2) Test the RADIUS authentication with the test case provided in “Testing the configuration” section below
        3) As radiusd demon doesn’t have sufficient selinux privileges to access the system resources required for using pam modules, the RADIUS authentication will fail.
        4) This will create the logs in either “/var/log/messages” or in “/var/log/audit/audit.log” depending on the selinux configuration.
        5) We can use audit2allow utility to provide selinux privileges to radiusd by using following sequence of commands:
        # audit2allow -m local -l -i /var/log/messages > local.te
        # checkmodule -M -m -o local.mod local.te
        # semodule_package -o local.pp -m local.mod
        # semodule -i local.pp
        6) For more selinux policy updating information and explanation of above commands please visit the following website:
        http://fedora.redhat.com/docs/selinux-f ... #id2961385

    • Test Setup:

    Our test environment is as follows:

      a) Operating System: Fedora release 8 (Werewolf)
      b) FreeRADIUS Server : FreeRADIUS Version 1.1.7
      c) Yubico PAM: pam_yubico Version 1.8
      d) "/etc/pam.d/radiusd" file:

      auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
      auth include system-auth
      account required pam_nologin.so
      account include system-auth
      password include system-auth
      session include system-auth

    • Testing the configuration:

    We have tested the pam_yubico configuration on following Linux sever platforms:

      1) Fedora 8:
        a) Operating system: Fedora release 8 (Werewolf)
        b) FreeRADIUS Server : FreeRADIUS Version 1.1.7
        c) Yubico PAM: pam_yubico Version 1.8

      2) Fedora 6:
        a) Operating system: Fedora Core release 6 (Zod)
        b) FreeRADIUS Server : FreeRADIUS Version 1.1.7
        c) Yubico PAM: pam_yubico Version 1.8

    To test the RADIUS two factor authentication with YubiKey, we can use “radtest” radius client. The command is as follows:

    # radtest <username> <passwd followed by YubiKey generated OTP> <radius-server>:<radius server port> <nas-port-number> <secret [ppphint] [nasname]>

    e.g.:

    # radtest test test123vrkvfefuitvflvgufcdlbjufkggukufkebeildbdkkjc 127.0.0.1 0 testing123

    • Note:

    The FreeRADIUS server version 1.1.3 seems to have problems regarding memory management and it may result in Segmentation Fault if configured with Yubico PAM module. We recommend using FreeRADIUS server version 1.1.7 or above.
    Page 1 of 1 All times are UTC + 1 hour
    Powered by phpBB® Forum Software © phpBB Group
    https://www.phpbb.com/