Bug 1279591
Summary: | Users with OTP authentication fail to authenticate | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> | |
Component: | mod_authnz_pam | Assignee: | Jan Pazdziora <jpazdziora> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.2 | CC: | jkurik, jpazdziora, ksiddiqu, lmiksik, spoore | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | mod_authnz_pam-0.9.3-5.el7_2 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1283521 (view as bug list) | Environment: | ||
Last Closed: | 2017-11-07 08:30:50 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1283521 |
Description
Jan Pazdziora
2015-11-09 20:04:50 UTC
The failure is caused by the fact that mod_authnz_pam puts the password values to all responses that have msg_style == PAM_PROMPT_ECHO_OFF. In RHEL 7.1, pam_sss.so only did one prompt. In RHEL 7.2, there are two prompts, and we effectively put the password with code in twice. A patch fixing the issue is: diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c index 968b567..87d3150 100644 --- a/mod_authnz_pam.c +++ b/mod_authnz_pam.c @@ -61,7 +61,11 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s response[i].resp = 0; response[i].resp_retcode = 0; if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) { - response[i].resp = strdup(appdata_ptr); + if (i == 0) { + response[i].resp = strdup(appdata_ptr); + } else { + response[i].resp = NULL; + } } else { free(response); return PAM_CONV_ERR; Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec. (In reply to Jan Pazdziora from comment #4) > Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec. Oops, 6de21466287c3e77850ab1d66f076405971ba4f3. Upstream release 1.0.1 done. Fedora updates created: https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc22 and https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc23 Verified. Version :: mod_authnz_pam-0.9.3-5.el7_2.x86_64 Results :: ################ Setup WebServer ######################## [root@rhel7-2 ~]# mkdir /var/www/html/app1 [root@rhel7-2 ~]# echo "PASS" > /var/www/html/app1/index.html [root@rhel7-2 ~]# cat > /etc/httpd/conf.d/app1.conf <<EOF > LoadModule authnz_pam_module modules/mod_authnz_pam.so > <Location /app1> > AuthType Basic > AuthName "private area" > AuthBasicProvider PAM > AuthPAMService app1 > Require valid-user > ErrorDocument 401 'FAIL' > </Location> > EOF [root@rhel7-2 ~]# cat > /etc/pam.d/app1 <<EOF > auth required pam_sss.so > account required pam_sss.so > EOF [root@rhel7-2 ~]# setsebool -P allow_httpd_mod_auth_pam 1 [root@rhel7-2 ~]# echo Secret123|kinit admin Password for admin: [root@rhel7-2 ~]# ipa service-add HTTP/$(hostname) ---------------------------------------------------- Added service "HTTP/rhel7-2.example.com" ---------------------------------------------------- Principal name: HTTP/rhel7-2.example.com Principal alias: HTTP/rhel7-2.example.com Managed by: rhel7-2.example.com [root@rhel7-2 ~]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \ > -k /etc/pki/tls/private/server.key \ > -K HTTP/$(hostname) New signing request "20160726200450" added. [root@rhel7-2 ~]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname) Keytab successfully retrieved and stored in: /etc/http.keytab [root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateFile\).*$!\1 /etc/pki/tls/certs/server.pem!' /etc/httpd/conf.d/ssl.conf [root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateKeyFile\).*$!\1 /etc/pki/tls/private/server.key!' /etc/httpd/conf.d/ssl.conf [root@rhel7-2 ~]# sed -i '/#SSLCACertificateFile/ a SSLCACertificateFile /etc/ipa/ca.crt' /etc/httpd/conf.d/ssl.conf [root@rhel7-2 ~]# systemctl restart httpd ################ Setup User ######################## [root@rhel7-2 ~]# echo test|ipa user-add bob --first=bob --last=belcher --password ---------------- Added user "bob" ---------------- User login: bob First name: bob Last name: belcher Full name: bob belcher Display name: bob belcher Initials: bb Home directory: /home/bob GECOS: bob belcher Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 973200001 GID: 973200001 Password: True Member of groups: ipausers Kerberos keys available: True [root@rhel7-2 ~]# echo -e "test\nSecret123\nSecret123\n" | kinit bob Password for bob: Password expired. You must change it now. Enter new password: Enter it again: [root@rhel7-2 ~]# kdestroy -A [root@rhel7-2 ~]# echo Secret123|kinit admin Password for admin: [root@rhel7-2 ~]# ipa user-mod bob --user-auth-type=otp ------------------- Modified user "bob" ------------------- User login: bob First name: bob Last name: belcher Home directory: /home/bob Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 973200001 GID: 973200001 User authentication types: otp Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@rhel7-2 ~]# ipa otptoken-add --type=totp --owner=bob bobs_token ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal. ---------------------------- Added OTP token "bobs_token" ---------------------------- Unique ID: bobs_token Type: TOTP Owner: bob Key: gKrUt0+ZfhhuGHmjpBRVNOVkYmU= Algorithm: sha1 Digits: 6 Clock offset: 0 Clock interval: 30 URI: otpauth://totp/bob:bobs_token?digits=6&secret=QCVNJN2PTF7BQ3QYPGR2IFCVGTSWIYTF&period=30&algorithm=SHA1&issuer=bob%40EXAMPLE.COM ....qrcode.... # get token code from FreeOTP using qrcode to setup token on phone [root@rhel7-2 ~]# curl -u bob:Secret123 https://$(hostname)/app1/index.html FAIL [root@rhel7-2 ~]# curl -u bob:Secret123590194 https://$(hostname)/app1/index.html PASS Can this bugzilla be CLOSED? It was shipped in 7.2.z and there is newer version in 7.4.0 which contains the fix ... |