RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1202949 - glibc-2.17-78.el7 breaks sudo password authentication with pam_krb5.so
Summary: glibc-2.17-78.el7 breaks sudo password authentication with pam_krb5.so
Keywords:
Status: CLOSED DUPLICATE of bug 1263745
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam_krb5
Version: 7.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1203710
TreeView+ depends on / blocked
 
Reported: 2015-03-17 18:50 UTC by James Ralston
Modified: 2019-10-10 09:41 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-18 17:05:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Sudo failed attempt. (147.05 KB, text/plain)
2016-01-29 17:52 UTC, kludhwan 		no flags Details
Sudo successful attempt (155.99 KB, text/plain)
2016-01-29 17:54 UTC, kludhwan 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2160141 0 None None None 2016-02-12 17:26:57 UTC

Description James Ralston 2015-03-17 18:50:43 UTC 
Description of problem:

We use sudo to delegate privileges. For most people, we configure sudo to require the user to enter his password. We authenticate all regular user accounts against our Windows Active Directory servers, using the pam_krb5.so PAM module.

After updating to glibc-2.17-78.el7, for some users, sudo always asserts that the user has entered his password incorrectly, even when it is entered correctly, because the pam_krb5.so module fails. This effectively breaks sudo password authentication. However, some users experience correct behavior.

The behavior is consistent: a user for whom sudo password authentication is broken will experience the broken behavior every time; a user for whom sudo password authentication still works will experience correct behavior every time. But we cannot perceive any pattern to why some users experience broken behavior while some users experience correct behavior.

Downgrading back to glibc-2.17-55.el7_0.3 restores the correct behavior for all users, which is why we are filing this bug against glibc.

Version-Release number of selected component (if applicable):

Working:

glibc-2.17-55.el7_0.3.x86_64
glibc-common-2.17-55.el7_0.3.x86_64

Broken:

glibc-common-2.17-78.el7.x86_64
glibc-2.17-78.el7.x86_64

How reproducible:

Update to glibc-2.17-78.el7, configure sudo to use pam_krb5.so for user authentication in /etc/pam.d/sudo, and then configure sudo to require password authentication. Attempt to sudo using multiple accounts.

At least some of the accounts should experience the broken behavior.

Actual results:

sudo should work correctly.

Expected results:

sudo fails to authenticate the user's (correct) password.

Additional info:

Here's what we see in the logs using glibc-2.17-55.el7_0.3, which works correctly:

Mar 17 13:48:27 host.example.org sudo: pam_krb5[3961]: TGT verified using key for 'host/host.example.org'
Mar 17 13:48:27 host.example.org sudo: pam_krb5[3961]: authentication succeeds for 'username' (username)
Mar 17 13:48:27 host.example.org sudo: username : TTY=pts/1 ; PWD=/home/username ; USER=root ; COMMAND=/usr/bin/echo success

So now we update to glibc-2.17-78.el7:

Mar 17 13:49:06 host.example.org yum[3962]: Updated: glibc-common-2.17-78.el7.x86_64
Mar 17 13:49:08 host.example.org yum[3962]: Updated: glibc-2.17-78.el7.x86_64

And now sudo pam_krb5.so password authentication fails for this user:

Mar 17 13:49:31 host.example.org sudo: pam_krb5[4125]: TGT verified using key for 'host/host.example.org'
Mar 17 13:49:32 host.example.org sudo: pam_krb5[4125]: account checks fail for 'username': user disallowed by .k5login file for 'username'
Mar 17 13:49:32 host.example.org sudo: pam_krb5[4125]: authentication fails for 'username' (username): Permission denied (Success)

The error message about the .k5login file is nonsensical, because the user has no .k5login file in his home directory. Furthermore, I have traced sudo when it executes, and I can see no evidence in the trace that sudo even makes an attempt to check for a .k5login file for the user.

Even more bizarrely, the users who experience the broken behavior with sudo do NOT experience the broken behavior for other programs that perform authentication using pam_krb5.so. For example, sshd is able to login all users successfully using pam_krb5.so password authentication, regardless of the glibc version. So at least so far, only sudo password authentication seems to experience the broken behavior.

Reverting to glibc-2.17-55.el7_0.3 restores the correct pam_krb5.so behavior for all users:

Mar 17 13:50:49 host.example.org yum[4177]: Installed: glibc-2.17-55.el7_0.3.x86_64
Mar 17 13:51:00 host.example.org yum[4177]: Installed: glibc-common-2.17-55.el7_0.3.x86_64

Mar 17 13:51:23 host.example.org sudo: pam_krb5[4221]: TGT verified using key for 'host/host.example.org'
Mar 17 13:51:23 host.example.org sudo: pam_krb5[4221]: authentication succeeds for 'username' (username)
Mar 17 13:51:23 host.example.org sudo: username : TTY=pts/1 ; PWD=/home/username ; USER=root ; COMMAND=/usr/bin/echo success

As I said previously, we are open to the possibility that the bug actually lies with pam_krb5 or sudo, and not glibc. But since glibc-2.17-78.el7 triggers the bug, and glibc-2.17-55.el7_0.3 does not, we're starting with glibc first.

Also, I'm a Fedora packager, so if you can give me a few likely candidates as to which patches in glibc-2.17-78.el7 might be triggering this, we can rebuild our own glibc packages locally to test. But without assistance, I have no idea where to start.
Comment 2 Carlos O'Donell 2015-03-17 21:04:50 UTC 
There have been a good collection of fixes between glibc-2.17-55.el7_0.3 and glibc-2.17-78.el7.x86_64, but no single fix should have caused the problem you are seeing. If you are using netgroups, things should have gotten better not worse, as we have fixed several netgroup related problems. If you are runnning with nscd you may wish to try without nscd to see if that impacts the problem.

I'm passing this on to the sudo maintainer to see if they have seen anything like this in rhel-7.0.
Comment 3 Daniel Kopeček 2015-03-18 09:20:00 UTC 
Hello, could you please attach debug logs from sudo? You can configure debugging via /etc/sudo.conf, just put the following line in there:

Debug sudo /tmp/sudo_debug.log all@debug

and then attach the sudo_debug.log file here. And do this for both scenarios (working vs. non-working), please.

Thanks,
Dan K.
Comment 4 Daniel Kopeček 2015-08-26 16:11:13 UTC 
No response from the reporter. Closing for now, please reopen for rhel-7.3 if you think this is still an issue and attach the requested (see comment #3) logs.
Comment 5 kludhwan 2016-01-29 17:50:46 UTC 
I have a customer who is facing similar issue.

Cu has provided me logs for failed sudo attempt and successful attempt hence i am opening the case again.
Comment 6 kludhwan 2016-01-29 17:52:49 UTC 
Created attachment 1119483 [details]
Sudo failed attempt.

Sudo debug logs for failed attempt.
Comment 7 kludhwan 2016-01-29 17:54:08 UTC 
Created attachment 1119487 [details]
Sudo successful attempt

Sudo successful debug attempt
Comment 9 kludhwan 2016-02-05 07:49:19 UTC 
I have attached debug logs from 1 more customer that is possibly hitting the same bug, Please let us know if you required more information.
Comment 20 rick.beldin@hpe.com 2016-02-16 11:43:05 UTC 
> Hello. Is this whole issue reproducible only with sudo? There are also some su
> logs in the comments, so is it possible to reproduce this issue with su also?

During testing I would login to the VM as root and make changes to /etc/passwd or other files and then su - to the user to quickly see the effect.  That is probably the su you are seeing in the logs.   su does not see the problem because you supply the root passwd, which is local.  

Interesting to note that even when sudo is failing, the user can login to the system without problems: 

# ssh testuser_100.122.39
testuser_100.122.39's password:
Last login: Tue Feb 16 06:34:02 2016
[testuser_100@localhost ~]$ sudo -l
[sudo] password for testuser_100:
Sorry, try again.
[sudo] password for testuser_100:
Sorry, try again.
[sudo] password for testuser_100:
Sorry, try again.
sudo: 3 incorrect password attempts

I verified that the connection is getting to the AD because it would trip the wrong passwd limit.   

I also turned on pam debugging with debug_sensitive and could verify that the 'correct' password was being generated. 

While: 

 ignore_k5login=true

in /etc/krb5.conf seems to 'correct' the problem,  I am unclear at all why this would be necessary and I don't see it listed in the man page for krb5.conf.  Oddly, the pam_krb5 man page mentions it: 

*       ignore_k5login
specifies that pam_krb5 should skip checking the user's .k5login file to  verify
that  the  principal  name  of  the  client being authenticated is authorized to
access the user account.  (Actually,  the  check  is  performed  by  a  function offered  by  the  Kerberos library, which controls which files it will consult.) The default is to perform the check.

This would suggest that the is something to do with processing k5login file.  
I attempted to populate that file and it had no effect on the behavior.
Comment 21 Daniel Kopeček 2016-02-16 11:52:24 UTC 
(In reply to rick.beldin from comment #20)
> > Hello. Is this whole issue reproducible only with sudo? There are also some su
> > logs in the comments, so is it possible to reproduce this issue with su also?
> 
> During testing I would login to the VM as root and make changes to
> /etc/passwd or other files and then su - to the user to quickly see the
> effect.  That is probably the su you are seeing in the logs.   su does not
> see the problem because you supply the root passwd, which is local.  

Could you test with 'su' by running:

$ su - baduser
vs.
$ su - gooduser

?

(assuming that pam is configured the same for su and sudo)
Comment 22 rick.beldin@hpe.com 2016-02-16 12:42:21 UTC 
hmm.  Bugzilla email not going through: 


baduser = testuser_100 gooduser=testuser_1

# ssh root.122.39
Last login: Tue Feb 16 06:34:07 2016
[root@localhost ~]# su - testuser_100
Last login: Tue Feb 16 07:15:18 EST 2016 from 192.168.122.1 on pts/0
[testuser_100@localhost ~]$ exit
logout
[root@localhost ~]# su - testuser_1
Last login: Fri Feb 12 16:55:23 EST 2016 from 192.168.122.1 on pts/0
[testuser_1@localhost ~]$ exit
logout

/var/log/secure of this run shows that we don't hit krb for anything.  This is expected as they are only getting passwds, not uids from the AD:

Feb 16 07:15:44 localhost sshd[10968]: Accepted publickey for root from 192.168.122.1 port 47353 ssh2: RSA a5:f6:f3:54:2d:a8:16:53:f6:ec:02:cf:99:20:04:a9
Feb 16 07:15:44 localhost sshd[10968]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 16 07:15:50 localhost su: pam_unix(su-l:session): session opened for user testuser_100 by root(uid=0)
Feb 16 07:15:54 localhost su: pam_unix(su-l:session): session closed for user testuser_100
Feb 16 07:15:57 localhost su: pam_unix(su-l:session): session opened for user testuser_1 by root(uid=0)
Feb 16 07:16:01 localhost su: pam_unix(su-l:session): session closed for user testuser_1

Most pam debugging is 'off' at this point as I was trying to see what was relevant.

If you have specific options you want enabled, please let me know.
Comment 23 Daniel Kopeček 2016-02-17 10:40:31 UTC 
The differences seem to be in execution paths that are outside sudo's code. Since sudo is using PAM for authentication (calling pam_authenticate) and doesn't treat it in any special way when pam_krb5 is present in the stack, I don't see how this bug could be lurking somewhere in sudo.

Moving to pam_krb5 to see whether they can add something useful to solve this issue and/or explain why the ignore_k5login setting is (now?) required when authentication via sudo.
Comment 25 James Ralston 2016-02-17 15:01:43 UTC 
Keep in mind that the catalyst for this behavior was the upgrade from glibc-2.17-55.el7_0.3 to glibc-2.17-78.el7, as I detailed when I opened this ticket.

The two most likely explanations are:

1) There was a bug introduced with glibc-2.17-78.el7 that pam_krb5 just so happens to trigger.

2) There is a (potentially long-standing) bug in pam_krb5 that so happens to be triggered by changes made in glibc-2.17-78.el7.

I wasn't able to provide any further debugging help, because we abandoned pam_krb5.so in our PAM stack (in favor of pam_sss.so). But I'm glad others are taking this issue and running with it.
Comment 27 Josh Snyder 2016-02-17 21:18:34 UTC 
We just deployed a RHEL 7 VM in our environment and are experiencing the same issue.  I can confirm that this issue still occurs after upgrading to glibc-2.17-106.el7_2.4.  Either downgrading to glibc-2.17-55 or adding the following to /etc/krb5.conf remain viable workarounds:

[appdefaults]
 pam = {
  debug = false
  EXAMPLE.COM = {
   ignore_k5login = true
  }
 }
Comment 28 rick.beldin@hpe.com 2016-02-17 21:53:55 UTC 
This looks like a duplicate: 

https://bugzilla.redhat.com/show_bug.cgi?id=1263745
Note You need to log in before you can comment on or make changes to this bug.