1279591 – Users with OTP authentication fail to authenticate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1279591 - Users with OTP authentication fail to authenticate

Summary: Users with OTP authentication fail to authenticate

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_authnz_pam
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Pazdziora
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1283521
TreeView+	depends on / blocked

Reported:	2015-11-09 20:04 UTC by Jan Pazdziora
Modified:	2017-11-07 08:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:	mod_authnz_pam-0.9.3-5.el7_2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1283521 (view as bug list)
Environment:
Last Closed:	2017-11-07 08:30:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jan Pazdziora 2015-11-09 20:04:50 UTC

Description of problem:

When user has OTP token and two-factor authentication type enabled and Web application or mod_intercept_form_submit accepts both factors in one "password" input, authentication fails.

This is a regression against RHEL 7.1, presumably because of change of behaviour in sssd 1.13 that added full pre-auth support.

Version-Release number of selected component (if applicable):

mod_authnz_pam-0.9.3-1.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Web application with mod_authnz_pam against FreeIPA, for example http://www.freeipa.org/page/Web_App_Authentication/Example_setup.
2. Add OTP token to a user.
3. Attempt to authenticate as that user, putting the password and OTP code to the password field.

Actual results:

Authentication fails with 17 Failure setting user credentials.

Expected results:

Authentication passes.

Additional info:

Comment 2 Jan Pazdziora 2015-11-09 20:07:52 UTC

The failure is caused by the fact that mod_authnz_pam puts the password values to all responses that have msg_style == PAM_PROMPT_ECHO_OFF. In RHEL 7.1, pam_sss.so only did one prompt. In RHEL 7.2, there are two prompts, and we effectively put the password with code in twice.

A patch fixing the issue is:

diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c
index 968b567..87d3150 100644
--- a/mod_authnz_pam.c
+++ b/mod_authnz_pam.c
@@ -61,7 +61,11 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s
                response[i].resp = 0;
                response[i].resp_retcode = 0;
                if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-                       response[i].resp = strdup(appdata_ptr);
+                       if (i == 0) {
+                               response[i].resp = strdup(appdata_ptr);
+                       } else {
+                               response[i].resp = NULL;
+                       }
                } else {
                        free(response);
                        return PAM_CONV_ERR;

Comment 4 Jan Pazdziora 2015-11-09 20:19:19 UTC

Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.

Comment 5 Jan Pazdziora 2015-11-09 21:45:04 UTC

(In reply to Jan Pazdziora from comment #4)
> Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.

Oops, 6de21466287c3e77850ab1d66f076405971ba4f3.

Comment 6 Jan Pazdziora 2015-11-10 14:54:51 UTC

Upstream release 1.0.1 done.

Fedora updates created: https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc22 and https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc23

Comment 11 Scott Poore 2016-07-26 20:15:32 UTC

Verified.

Version ::

mod_authnz_pam-0.9.3-5.el7_2.x86_64

Results ::

################ Setup WebServer ########################

[root@rhel7-2 ~]# mkdir /var/www/html/app1

[root@rhel7-2 ~]# echo "PASS" > /var/www/html/app1/index.html

[root@rhel7-2 ~]# cat > /etc/httpd/conf.d/app1.conf <<EOF
> LoadModule authnz_pam_module modules/mod_authnz_pam.so
> <Location /app1>
>   AuthType Basic
>   AuthName "private area"
>   AuthBasicProvider PAM
>   AuthPAMService app1
>   Require valid-user
>   ErrorDocument 401 'FAIL'
> </Location>
> EOF
[root@rhel7-2 ~]# cat > /etc/pam.d/app1 <<EOF
> auth    required   pam_sss.so
> account required   pam_sss.so
> EOF

[root@rhel7-2 ~]# setsebool -P allow_httpd_mod_auth_pam 1

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin: 

[root@rhel7-2 ~]# ipa service-add HTTP/$(hostname)
----------------------------------------------------
Added service "HTTP/rhel7-2.example.com"
----------------------------------------------------
  Principal name: HTTP/rhel7-2.example.com
  Principal alias: HTTP/rhel7-2.example.com
  Managed by: rhel7-2.example.com

[root@rhel7-2 ~]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \
>     -k /etc/pki/tls/private/server.key \
>     -K HTTP/$(hostname)
New signing request "20160726200450" added.

[root@rhel7-2 ~]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname)
Keytab successfully retrieved and stored in: /etc/http.keytab

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateFile\).*$!\1 /etc/pki/tls/certs/server.pem!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateKeyFile\).*$!\1 /etc/pki/tls/private/server.key!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i '/#SSLCACertificateFile/ a SSLCACertificateFile /etc/ipa/ca.crt' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# systemctl restart httpd


################ Setup User ########################

[root@rhel7-2 ~]# echo test|ipa user-add bob --first=bob --last=belcher --password
----------------
Added user "bob"
----------------
  User login: bob
  First name: bob
  Last name: belcher
  Full name: bob belcher
  Display name: bob belcher
  Initials: bb
  Home directory: /home/bob
  GECOS: bob belcher
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 973200001
  GID: 973200001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# echo -e "test\nSecret123\nSecret123\n" | kinit bob
Password for bob: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-2 ~]# kdestroy -A

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin: 

[root@rhel7-2 ~]# ipa user-mod bob --user-auth-type=otp
-------------------
Modified user "bob"
-------------------
  User login: bob
  First name: bob
  Last name: belcher
  Home directory: /home/bob
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 973200001
  GID: 973200001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# ipa otptoken-add --type=totp --owner=bob bobs_token
ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal.
----------------------------
Added OTP token "bobs_token"
----------------------------
  Unique ID: bobs_token
  Type: TOTP
  Owner: bob
  Key: gKrUt0+ZfhhuGHmjpBRVNOVkYmU=
  Algorithm: sha1
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  URI: otpauth://totp/bob:bobs_token?digits=6&secret=QCVNJN2PTF7BQ3QYPGR2IFCVGTSWIYTF&period=30&algorithm=SHA1&issuer=bob%40EXAMPLE.COM

....qrcode....

# get token code from FreeOTP using qrcode to setup token on phone

[root@rhel7-2 ~]# curl -u bob:Secret123 https://$(hostname)/app1/index.html

FAIL

[root@rhel7-2 ~]# curl -u bob:Secret123590194 https://$(hostname)/app1/index.html

PASS

Comment 12 Jan Pazdziora 2017-10-31 09:01:51 UTC

Can this bugzilla be CLOSED? It was shipped in 7.2.z and there is newer version in 7.4.0 which contains the fix ...

Note You need to log in before you can comment on or make changes to this bug.