Bug 1279591

Summary:	Users with OTP authentication fail to authenticate
Product:	Red Hat Enterprise Linux 7	Reporter:	Jan Pazdziora <jpazdziora>
Component:	mod_authnz_pam	Assignee:	Jan Pazdziora <jpazdziora>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Namita Soman <nsoman>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.2	CC:	jkurik, jpazdziora, ksiddiqu, lmiksik, spoore
Target Milestone:	rc	Keywords:	Regression, ZStream
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	mod_authnz_pam-0.9.3-5.el7_2	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1283521 (view as bug list)		Environment:
Last Closed:	2017-11-07 08:30:50 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1283521

Description Jan Pazdziora 2015-11-09 20:04:50 UTC

Description of problem:

When user has OTP token and two-factor authentication type enabled and Web application or mod_intercept_form_submit accepts both factors in one "password" input, authentication fails.

This is a regression against RHEL 7.1, presumably because of change of behaviour in sssd 1.13 that added full pre-auth support.

Version-Release number of selected component (if applicable):

mod_authnz_pam-0.9.3-1.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Web application with mod_authnz_pam against FreeIPA, for example http://www.freeipa.org/page/Web_App_Authentication/Example_setup.
2. Add OTP token to a user.
3. Attempt to authenticate as that user, putting the password and OTP code to the password field.

Actual results:

Authentication fails with 17 Failure setting user credentials.

Expected results:

Authentication passes.

Additional info:

Comment 2 Jan Pazdziora 2015-11-09 20:07:52 UTC

The failure is caused by the fact that mod_authnz_pam puts the password values to all responses that have msg_style == PAM_PROMPT_ECHO_OFF. In RHEL 7.1, pam_sss.so only did one prompt. In RHEL 7.2, there are two prompts, and we effectively put the password with code in twice.

A patch fixing the issue is:

diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c
index 968b567..87d3150 100644
--- a/mod_authnz_pam.c
+++ b/mod_authnz_pam.c
@@ -61,7 +61,11 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s
                response[i].resp = 0;
                response[i].resp_retcode = 0;
                if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-                       response[i].resp = strdup(appdata_ptr);
+                       if (i == 0) {
+                               response[i].resp = strdup(appdata_ptr);
+                       } else {
+                               response[i].resp = NULL;
+                       }
                } else {
                        free(response);
                        return PAM_CONV_ERR;

Comment 4 Jan Pazdziora 2015-11-09 20:19:19 UTC

Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.

Comment 5 Jan Pazdziora 2015-11-09 21:45:04 UTC

(In reply to Jan Pazdziora from comment #4)
> Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.

Oops, 6de21466287c3e77850ab1d66f076405971ba4f3.

Comment 6 Jan Pazdziora 2015-11-10 14:54:51 UTC

Upstream release 1.0.1 done.

Fedora updates created: https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc22 and https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc23

Comment 11 Scott Poore 2016-07-26 20:15:32 UTC

Verified.

Version ::

mod_authnz_pam-0.9.3-5.el7_2.x86_64

Results ::

################ Setup WebServer ########################

[root@rhel7-2 ~]# mkdir /var/www/html/app1

[root@rhel7-2 ~]# echo "PASS" > /var/www/html/app1/index.html

[root@rhel7-2 ~]# cat > /etc/httpd/conf.d/app1.conf <<EOF
> LoadModule authnz_pam_module modules/mod_authnz_pam.so
> <Location /app1>
>   AuthType Basic
>   AuthName "private area"
>   AuthBasicProvider PAM
>   AuthPAMService app1
>   Require valid-user
>   ErrorDocument 401 'FAIL'
> </Location>
> EOF
[root@rhel7-2 ~]# cat > /etc/pam.d/app1 <<EOF
> auth    required   pam_sss.so
> account required   pam_sss.so
> EOF

[root@rhel7-2 ~]# setsebool -P allow_httpd_mod_auth_pam 1

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin: 

[root@rhel7-2 ~]# ipa service-add HTTP/$(hostname)
----------------------------------------------------
Added service "HTTP/rhel7-2.example.com"
----------------------------------------------------
  Principal name: HTTP/rhel7-2.example.com
  Principal alias: HTTP/rhel7-2.example.com
  Managed by: rhel7-2.example.com

[root@rhel7-2 ~]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \
>     -k /etc/pki/tls/private/server.key \
>     -K HTTP/$(hostname)
New signing request "20160726200450" added.

[root@rhel7-2 ~]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname)
Keytab successfully retrieved and stored in: /etc/http.keytab

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateFile\).*$!\1 /etc/pki/tls/certs/server.pem!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateKeyFile\).*$!\1 /etc/pki/tls/private/server.key!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i '/#SSLCACertificateFile/ a SSLCACertificateFile /etc/ipa/ca.crt' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# systemctl restart httpd


################ Setup User ########################

[root@rhel7-2 ~]# echo test|ipa user-add bob --first=bob --last=belcher --password
----------------
Added user "bob"
----------------
  User login: bob
  First name: bob
  Last name: belcher
  Full name: bob belcher
  Display name: bob belcher
  Initials: bb
  Home directory: /home/bob
  GECOS: bob belcher
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 973200001
  GID: 973200001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# echo -e "test\nSecret123\nSecret123\n" | kinit bob
Password for bob: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-2 ~]# kdestroy -A

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin: 

[root@rhel7-2 ~]# ipa user-mod bob --user-auth-type=otp
-------------------
Modified user "bob"
-------------------
  User login: bob
  First name: bob
  Last name: belcher
  Home directory: /home/bob
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 973200001
  GID: 973200001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# ipa otptoken-add --type=totp --owner=bob bobs_token
ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal.
----------------------------
Added OTP token "bobs_token"
----------------------------
  Unique ID: bobs_token
  Type: TOTP
  Owner: bob
  Key: gKrUt0+ZfhhuGHmjpBRVNOVkYmU=
  Algorithm: sha1
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  URI: otpauth://totp/bob:bobs_token?digits=6&secret=QCVNJN2PTF7BQ3QYPGR2IFCVGTSWIYTF&period=30&algorithm=SHA1&issuer=bob%40EXAMPLE.COM

....qrcode....

# get token code from FreeOTP using qrcode to setup token on phone

[root@rhel7-2 ~]# curl -u bob:Secret123 https://$(hostname)/app1/index.html

FAIL

[root@rhel7-2 ~]# curl -u bob:Secret123590194 https://$(hostname)/app1/index.html

PASS

Comment 12 Jan Pazdziora 2017-10-31 09:01:51 UTC

Can this bugzilla be CLOSED? It was shipped in 7.2.z and there is newer version in 7.4.0 which contains the fix ...