1029817 – pam_access.so in pam.d files using --enablepamaccess

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1029817 - pam_access.so in pam.d files using --enablepamaccess

Summary: pam_access.so in pam.d files using --enablepamaccess

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	David Spurek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-13 09:57 UTC by guillard
Modified:	2015-03-02 05:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pam-1.1.1-18.el6
Doc Type:	Bug Fix
Doc Text:	no docs needed
Clone Of:
Environment:
Last Closed:	2014-10-14 08:10:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1579	0	normal	SHIPPED_LIVE	pam bug fix update	2014-10-14 01:27:19 UTC

Description guillard 2013-11-13 09:57:32 UTC

Description of problem:

I use authconfig to configure redhat6 and redhat5 servers for authentication.

I use --enablepamaccess to tune access for users

Once configured as such, I have no problem for users in ldap (sssd), but login process freeze when I try to log as a local user on the console.

After a while (about three minutes) I get a shell if I'm allowed to with regard to access.conf rules.

After investigations, the problem problem sounds to be due to the fact that the pam access module in pam files, line:

"account required pam_access.so"

is called before pam has identifyed if the user was local or not, lines :

"account required pam_unix.so"
"account sufficient pam_localuser.so"

(my understanding is that pam is having a problem trying to evaluate access.conf without knowing the user id).

If I move this line :

"account required pam_access.so"

After :
"account required pam_unix.so"
"account sufficient pam_localuser.so"

The the freeze problem disappear (but access.conf is not taken into account for local users anymore).

I'm not sure what would be the right patch to that issue.

How reproducible:


Steps to Reproduce:
1- launch authconfig --enableshadow --enablelocauthorize --enablepamaccess --updateall
2. add rules for local users on the console in /etc/security/access.conf

Actual results:

login process freeze before granting access

Expected results:

login process should'nt freeze

Additional info:

Comment 2 Tomas Mraz 2013-11-13 10:33:54 UTC

The configuration is correct. It is not true that pam_access would not know the uid in such configuration, the bug must be elsewhere.

If you disable ldap with authconfig --disableldap --update , does the local user login still hang?

How many users and groups are in the ldap server?

Comment 3 guillard 2013-11-13 11:31:39 UTC

yes, I have the same problem when ldap is disable (BTW, I have launched authconfig with --disableeverything execpt --enableshadow --enablelocauthorize --enablepamaccess ). See below my nsswicth.conf.

But I missed to say that the problem only occur when I try to log as a local user and the console AND the network is not reachable (no problem otherwise).

Local login freeze with the following nsswitch.conf, and tcpdump doesn't show anything when I try to log in :

===============================

passwd:     files
shadow:     files
group:      files

#hosts:     db files nisplus nis dns                                            
hosts:      files dns

# Example - obey only what nisplus tells us...                                  
#services:   nisplus [NOTFOUND=return] files                                    
#networks:   nisplus [NOTFOUND=return] files                                    
#protocols:  nisplus [NOTFOUND=return] files                                    
#rpc:        nisplus [NOTFOUND=return] files                                    
#ethers:     nisplus [NOTFOUND=return] files                                    
#netmasks:   nisplus [NOTFOUND=return] files                                    

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

sudoers:   file

=========================


The problem disapear when the network is reachable, or if I move "account required pam_access.so" in the system-auth-ac file as I described above.

Comment 4 guillard 2013-11-13 11:36:57 UTC

Read :
=====

> But I missed to say that the problem only occur when I try to log as a local user ON the console AND the network is not reachable (no problem otherwise).

Comment 5 Tomas Mraz 2013-11-13 12:22:55 UTC

Then much more probable culprit are DNS timeouts in pam_access. What is in your /etc/security/access.conf? There were some optimizations in pam_access added in later Linux-PAM upstream releases.

Comment 6 guillard 2013-11-13 13:35:54 UTC

Thank you for looking at this Tomas.

As I said, I tryed tcpdump to scan paquets, and have not seen
any network request issued by the machine over the login process.

May be the machine is waiting for something ?


Here is my access.conf

+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47
+:root:LOCAL

# ####           'wheel' is a local group          ###### #
# ####          members may log on the console     ###### #

+:(wheel):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:(wheel):2001:xxx:xxx::/47
+:(wheel):LOCAL

# ####           'reseau' is an LDAP group         ###### #
# ####          members may log on the console     ###### #

+:(reseau):LOCAL

# ####    members of some other ldap groups are    ###### #
# #### authorised to log in from internal networks ###### #


+:(reseau) (tech):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:(reseau)(tech):2001:xxx:xxx::/47

Comment 7 Tomas Mraz 2013-11-13 15:11:39 UTC

Maybe you made some mistake in the tcpdump invocation. I don't know. I am sorry I can only point you at official Red Hat support channels for further investigation and resolution of your issue.

http://www.redhat.com/support/

Comment 8 guillard 2013-11-14 11:32:10 UTC

Hi Tomas,

To let you know, I found a fix.

I have changed in access.conf this :

+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47
+:root:LOCAL

By this:

+:root:LOCAL
+:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
+:root:2001:xxx:xxx::/47


The issue is then related to the way pam_access is parsing the file, and also to something that is still not clear related to the two (matching) rules that reference ip blocks (the machine itself is located in one of the autorised block, but this shouldn't block the login process for three minutes IMHO).

I will report the debug trace I get to pam_access dev.

Thanks for your help.

Comment 9 guillard 2013-11-14 11:44:13 UTC

Just in case this would be of interest here, here is a pam_access debug trace with the first version of access.conf.

My undestanding is that since the machine is itself in an authorized block, then pam_acess is expecting for something : tcpdump don't say what.

Nov 14 12:18:29 gaia02 login: pam_access(login:account): login_access: user=root, from=tty4, file=/etc/security/access.conf
Nov 14 12:18:29 gaia02 login: pam_access(login:account): line 126: + : root : 10.x.x.x/16 10.x.x.x/16 10.x.x.x/16
Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=10.x.x.x/16 10.x.x.x/16 10.x.x.x/16, item=root
Nov 14 12:18:29 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:18:49 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:09 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match=0, "tty4"
Nov 14 12:19:29 gaia02 login: pam_access(login:account): line 127: + : root : 2001:xxx:xxx::/47
Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=2001:xxx:xxx::/47, item=root
Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=2001:xxx:xxx::/47, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=0, "tty4"
Nov 14 12:19:49 gaia02 login: pam_access(login:account): line 128: + : root : LOCAL
Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match: tok=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=root, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match=1, "root"
Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=LOCAL, item=root
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match: tok=LOCAL, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=LOCAL, item=tty4
Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=1, "tty4"
Nov 14 12:19:49 gaia02 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Nov 14 12:19:49 gaia02 login: ROOT LOGIN ON tty4

Comment 10 Tomas Mraz 2013-11-14 13:33:16 UTC

As I said above - it is really about repeated getaddrinfo timeouting and it was fixed or at least improved in the more recent upstream releases of Linux-PAM.
We could backport the changes if pam gets on list of packages for next update release.

Comment 17 errata-xmlrpc 2014-10-14 08:10:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1579.html

Note You need to log in before you can comment on or make changes to this bug.