Bug 1029817

Summary: pam_access.so in pam.d files using --enablepamaccess
Product: Red Hat Enterprise Linux 6 Reporter: guillard <orglube>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: David Spurek <dspurek>
Severity: low Docs Contact:
Priority: medium    
Version: 6.6CC: dapospis, dspurek, ebenes, ksrot, orglube, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam-1.1.1-18.el6 Doc Type: Bug Fix
Doc Text:
no docs needed
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:10:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description guillard 2013-11-13 09:57:32 UTC
Description of problem:

I use authconfig to configure redhat6 and redhat5 servers for authentication.

I use --enablepamaccess to tune access for users

Once configured as such, I have no problem for users in ldap (sssd), but login process freeze when I try to log as a local user on the console.

After a while (about three minutes) I get a shell if I'm allowed to with regard to access.conf rules.

After investigations, the problem problem sounds to be due to the fact that the pam access module in pam files, line:

"account required pam_access.so"

is called before pam has identifyed if the user was local or not, lines :

"account required pam_unix.so"
"account sufficient pam_localuser.so"

(my understanding is that pam is having a problem trying to evaluate access.conf without knowing the user id).

If I move this line :

"account required pam_access.so"

After :
"account required pam_unix.so"
"account sufficient pam_localuser.so"

The the freeze problem disappear (but access.conf is not taken into account for local users anymore).

I'm not sure what would be the right patch to that issue.

How reproducible:


Steps to Reproduce:
1- launch authconfig --enableshadow --enablelocauthorize --enablepamaccess --updateall
2. add rules for local users on the console in /etc/security/access.conf

Actual results:

login process freeze before granting access

Expected results:

login process should'nt freeze

Additional info:

Comment 2 Tomas Mraz 2013-11-13 10:33:54 UTC
The configuration is correct. It is not true that pam_access would not know the uid in such configuration, the bug must be elsewhere.

If you disable ldap with authconfig --disableldap --update , does the local user login still hang?

How many users and groups are in the ldap server?

Comment 3 guillard 2013-11-13 11:31:39 UTC
yes, I have the same problem when ldap is disable (BTW, I have launched authconfig with --disableeverything execpt --enableshadow --enablelocauthorize --enablepamaccess ). See below my nsswicth.conf.

But I missed to say that the problem only occur when I try to log as a local user and the console AND the network is not reachable (no problem otherwise).

Local login freeze with the following nsswitch.conf, and tcpdump doesn't show anything when I try to log in :

===============================

passwd:     files
shadow:     files
group:      files

#hosts:     db files nisplus nis dns                                            
hosts:      files dns

# Example - obey only what nisplus tells us...                                  
#services:   nisplus [NOTFOUND=return] files                                    
#networks:   nisplus [NOTFOUND=return] files                                    
#protocols:  nisplus [NOTFOUND=return] files                                    
#rpc:        nisplus [NOTFOUND=return] files                                    
#ethers:     nisplus [NOTFOUND=return] files                                    
#netmasks:   nisplus [NOTFOUND=return] files                                    

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers:   file

=========================


The problem disapear when the network is reachable, or if I move "account required pam_access.so" in the system-auth-ac file as I described above.

Comment 4 guillard 2013-11-13 11:36:57 UTC
Read :
=====

> But I missed to say that the problem only occur when I try to log as a local user ON the console AND the network is not reachable (no problem otherwise).

Comment 5 Tomas Mraz 2013-11-13 12:22:55 UTC
Then much more probable culprit are DNS timeouts in pam_access. What is in your /etc/security/access.conf? There were some optimizations in pam_access added in later Linux-PAM upstream releases.

Comment 6 guillard 2013-11-13 13:35:54 UTC
Thank you for looking at this Tomas.

As I said, I tryed tcpdump to scan paquets, and have not seen
any network request issued by the machine over the login process.

May be the machine is waiting for something ?


Here is my access.conf

+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47
+:root:LOCAL

# ####           'wheel' is a local group          ###### #
# ####          members may log on the console     ###### #

+:(wheel):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:(wheel):2001:xxx:xxx::/47
+:(wheel):LOCAL

# ####           'reseau' is an LDAP group         ###### #
# ####          members may log on the console     ###### #

+:(reseau):LOCAL

# ####    members of some other ldap groups are    ###### #
# #### authorised to log in from internal networks ###### #


+:(reseau) (tech):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:(reseau)(tech):2001:xxx:xxx::/47

Comment 7 Tomas Mraz 2013-11-13 15:11:39 UTC
Maybe you made some mistake in the tcpdump invocation. I don't know. I am sorry I can only point you at official Red Hat support channels for further investigation and resolution of your issue.

http://www.redhat.com/support/

Comment 8 guillard 2013-11-14 11:32:10 UTC
Hi Tomas,

To let you know, I found a fix.

I have changed in access.conf this :

+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47
+:root:LOCAL

By this:

+:root:LOCAL
+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47


The issue is then related to the way pam_access is parsing the file, and also to something that is still not clear related to the two (matching) rules that reference ip blocks (the machine itself is located in one of the autorised block, but this shouldn't block the login process for three minutes IMHO).

I will report the debug trace I get to pam_access dev.

Thanks for your help.

Comment 9 guillard 2013-11-14 11:44:13 UTC
Just in case this would be of interest here, here is a pam_access debug trace with the first version of access.conf.

My undestanding is that since the machine is itself in an authorized block, then pam_acess is expecting for something : tcpdump don't say what.

Nov 14 12:18:29 gaia02 login: pam_access(login:account): login_access: user=root, from=tty4, file=/etc/security/access.conf
Nov 14 12:18:29 gaia02 login: pam_access(login:account): line 126: + : root : 10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=10.x.x.x/16 10.x.x.x/16 10.x.x.x/16, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match=0, "tty4"
Nov 14 12:19:29 gaia02 login: pam_access(login:account): line 127: + : root : 2001:xxx:xxx::/47
Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=2001:xxx:xxx::/47, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=0, "tty4"
Nov 14 12:19:49 gaia02 login: pam_access(login:account): line 128: + : root : LOCAL
Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=LOCAL, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match: tok=LOCAL, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=LOCAL, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=1, "tty4"
Nov 14 12:19:49 gaia02 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Nov 14 12:19:49 gaia02 login: ROOT LOGIN ON tty4

Comment 10 Tomas Mraz 2013-11-14 13:33:16 UTC
As I said above - it is really about repeated getaddrinfo timeouting and it was fixed or at least improved in the more recent upstream releases of Linux-PAM.
We could backport the changes if pam gets on list of packages for next update release.

Comment 17 errata-xmlrpc 2014-10-14 08:10:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1579.html