Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:31 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: pam_yubico on 64 bit?
PostPosted: Sat Feb 07, 2009 5:36 am 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
I want to hopefully use yubikeys for SSH logins, among other miscellaneous things, so I immediately jumped at the pam_yubico code. At first, I was having no success at all, but further testing shows that my problem seems to be limited to 64 bit Linux distros. Is anyone else using this successfully on a 64 bit system?

Here's what I am seeing: Authentication succeeds, but immediately after that, whatever app is using pam segfaults. I've tried to get backtraces but not much luck yet. I'm still gathering more information but thought I'd throw this out there, in hopes I don't have to dig all the way down this rabbit hole.

Tested so far:

Fedora 9 32 bit: Works
Debian Lenny 32 bit: Works
Ubuntu 8.10 32 bit: Works
Ubuntu 8.10 64 bit: Fails (seg faults)
Centos 5.2 64 bit: Fails (seg faults)
Fedora 10 64 bit: Fails (seg faults)

Updated to include Fedora 10 64 bit testing results.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Feb 07, 2009 3:03 pm 
Offline

Joined: Thu Feb 05, 2009 2:34 am
Posts: 4
We're seeing the exact same behaviour as you are describing on our Redhat Enterprise Linux 5.3 64 bit systems.

I will test RHEL5 32-bit early next week and judging by your table of results so far suspect it will succeed without seg faulting.

Hopefully we can sort this out soon.

Cheers


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 07, 2009 7:56 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
Here's a diff which I believe fixes the problem. I've tested it on Ubuntu 8.10 64 bit as well as Ubuntu 8.10 32 bit. Anyone else care to try it out?

Code:
Index: pam_yubico.c
===================================================================
--- pam_yubico.c   (revision 124)
+++ pam_yubico.c   (working copy)
@@ -397,7 +397,7 @@
     }
   if (debug)
     D (("done. [%s]", pam_strerror (pamh, retval)));
-  pam_set_data (pamh, "yubico_setcred_return", (void *) retval, NULL);
+  pam_set_data (pamh, "yubico_setcred_return", (void *) (uintptr_t)retval, NULL);
 
   return retval;
 }
@@ -406,7 +406,7 @@
 pam_sm_setcred (pam_handle_t * pamh, int flags, int argc, const char **argv)
 {
   int retval;
-  int auth_retval;
+  uintptr_t auth_retval;
 
   D (("called."));


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 08, 2009 2:32 pm 
Offline

Joined: Thu Feb 05, 2009 2:34 am
Posts: 4
Hi cmoates,

I tried your patch on RHEL5 64 bit and it worked.

Much appreciated.

Cheers
Lucien


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 17, 2009 8:49 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
What version of pam_yubico where you using? I just tried your changes on version 1.11 and I still got a segfault. I am wondering if the new version needs some more updates. It was also late last night when I tried it. I'll give it another shot when I am home, but I think the issue is still there, at least with version 1.11.

richard


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 17, 2009 11:14 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
I've not had as much time as I'd like to work on this (it's my busy season at work) but we built RPM's for several Fedora and CentOS distros, and while testing the other night on Fedora 10, x86_64, we found that, without my patches, it would seg fault.

HOWEVER, if we changed "ChallengeResponseAuthentication" in /etc/ssh/sshd_config to "yes", then it would work. We didn't test this extensively, but we did determine that it was contributing to the problem. Note that the current instructions explicitly tell you to set this to "no" and so I'm not sure what other ill effects might come from this.

In 1.11, there was a bunch of code added, and so I'm not surprised that there might be a new issue. I hope to work on this more soon, but it might be several weeks before my schedule clears up enough to really dig in.

Many thanks to my friend Todd Zullinger, who has contributed a significant amount of effort to helping me, in spite of the fact that he doesn't own a Yubikey. (I'm gonna owe him one though!)


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 18, 2009 5:04 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Due to time constraints, we were not able to include the changes suggested by cmoates to the new pam module version 1.11. We will include them to the next release of the PAM module.

Meanwhile, we have tested the Yubico PAM configuration on following 64 bit test environment with the code changes suggested by cmoates and it worked fine:
Code:
1) OS Version: Debian GNU/Linux 5.0.0 _Lenny_ - Official amd64
2) Kernel Version: Linux Kernel version 2.6.26-1-amd64
3) OpenSSH Version: OpenSSH_5.1p1 Debian-5
4) Yubico PAM Version: pam_yubico-1.11
5) "/etc/pam.d/sshd":
# PAM configuration for the Secure Shell service
# Administrative Level

auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

6) "/etc/ssh/sshd_config" settings:

ChallengeResponseAuthentication no
PasswordAuthentication yes


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 20, 2009 1:18 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
Ok, I made another attempt at getting the pam plugin to work with ubuntu 8.04 64 bit. By using the above patch I was able to get farther this time but came across another issue. If I attempted to login with a user with an associated yubikey ID it would work correctly. I would enter by password, then press my yubikey button and the ssh session would begin. I then tried to login with a user that doesn't have an associated yubikey ID. After entering the users password, I would experience a segfault on the server side. I haven't had time to debug this further, but perhaps there are a few more areas in the code that need to get massaged for 64 bit compatibility. As I collect more information I will post updates.

- pam_yubico v1.11 with the above two line modifications.
- /etc/pam.d/sshd files is configured to match the above listing
- /etc/ssh/sshd_config has the two options in the above listing
- Using system wide yubikey id file in /etc

richard

_________________
richard


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 20, 2009 9:01 pm 
Offline

Joined: Mon Feb 02, 2009 4:12 pm
Posts: 9
I've not run across the scenario you describe, but I've done very limited testing on Ubuntu. I'll add that to my test plans.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 10, 2009 3:38 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
I found some time to browse through the source and found that the issue I describe above is not 64-bit related. This code makes the assumption that all users have a yubikey ID associated with their accounts. Additionally, It never checks to see if the user has an associated ID or that the length of the entered password is long enough to contain a OTP before it splits it up into pieces. In my scenario, a user without a yubikey, enters their password and the pam module attempts to split it into the base password and OTP pieces. Since the password is less that 44 chars the code attempts to strncpy from an invalid memory location. We should add some sanity checks to the code to make sure the given password is greater than 44 chars before attempting to parse it and also check to see if the user has an associated yubikey ID before verifying against it. This would also lead to a decision of how to handle accounts without a yubikey ID. Do they succeed or fail? We may need another top level option 'require_yubikey' or something to specify how to handle that case. Not sure how much time I'll have but if I can get a patch together i'll post it.

_________________
richard


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group