Bug 1279591 - Users with OTP authentication fail to authenticate
Users with OTP authentication fail to authenticate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_authnz_pam (Show other bugs)
7.2
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Jan Pazdziora
Namita Soman
: Regression, ZStream
Depends On:
Blocks: 1283521
  Show dependency treegraph
 
Reported: 2015-11-09 15:04 EST by Jan Pazdziora
Modified: 2017-11-07 03:30 EST (History)
5 users (show)

See Also:
Fixed In Version: mod_authnz_pam-0.9.3-5.el7_2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1283521 (view as bug list)
Environment:
Last Closed: 2017-11-07 03:30:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2015-11-09 15:04:50 EST
Description of problem:

When user has OTP token and two-factor authentication type enabled and Web application or mod_intercept_form_submit accepts both factors in one "password" input, authentication fails.

This is a regression against RHEL 7.1, presumably because of change of behaviour in sssd 1.13 that added full pre-auth support.

Version-Release number of selected component (if applicable):

mod_authnz_pam-0.9.3-1.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Web application with mod_authnz_pam against FreeIPA, for example http://www.freeipa.org/page/Web_App_Authentication/Example_setup.
2. Add OTP token to a user.
3. Attempt to authenticate as that user, putting the password and OTP code to the password field.

Actual results:

Authentication fails with 17 Failure setting user credentials.

Expected results:

Authentication passes.

Additional info:
Comment 2 Jan Pazdziora 2015-11-09 15:07:52 EST
The failure is caused by the fact that mod_authnz_pam puts the password values to all responses that have msg_style == PAM_PROMPT_ECHO_OFF. In RHEL 7.1, pam_sss.so only did one prompt. In RHEL 7.2, there are two prompts, and we effectively put the password with code in twice.

A patch fixing the issue is:

diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c
index 968b567..87d3150 100644
--- a/mod_authnz_pam.c
+++ b/mod_authnz_pam.c
@@ -61,7 +61,11 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s
                response[i].resp = 0;
                response[i].resp_retcode = 0;
                if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-                       response[i].resp = strdup(appdata_ptr);
+                       if (i == 0) {
+                               response[i].resp = strdup(appdata_ptr);
+                       } else {
+                               response[i].resp = NULL;
+                       }
                } else {
                        free(response);
                        return PAM_CONV_ERR;
Comment 4 Jan Pazdziora 2015-11-09 15:19:19 EST
Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.
Comment 5 Jan Pazdziora 2015-11-09 16:45:04 EST
(In reply to Jan Pazdziora from comment #4)
> Fixed in upstream: 7ec37ea9371a7282b7266667277c7d6d6660c3ec.

Oops, 6de21466287c3e77850ab1d66f076405971ba4f3.
Comment 6 Jan Pazdziora 2015-11-10 09:54:51 EST
Upstream release 1.0.1 done.

Fedora updates created: https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc22 and https://bodhi.fedoraproject.org/updates/mod_authnz_pam-1.0.1-3.fc23
Comment 11 Scott Poore 2016-07-26 16:15:32 EDT
Verified.

Version ::

mod_authnz_pam-0.9.3-5.el7_2.x86_64

Results ::

################ Setup WebServer ########################

[root@rhel7-2 ~]# mkdir /var/www/html/app1

[root@rhel7-2 ~]# echo "PASS" > /var/www/html/app1/index.html

[root@rhel7-2 ~]# cat > /etc/httpd/conf.d/app1.conf <<EOF
> LoadModule authnz_pam_module modules/mod_authnz_pam.so
> <Location /app1>
>   AuthType Basic
>   AuthName "private area"
>   AuthBasicProvider PAM
>   AuthPAMService app1
>   Require valid-user
>   ErrorDocument 401 'FAIL'
> </Location>
> EOF
[root@rhel7-2 ~]# cat > /etc/pam.d/app1 <<EOF
> auth    required   pam_sss.so
> account required   pam_sss.so
> EOF

[root@rhel7-2 ~]# setsebool -P allow_httpd_mod_auth_pam 1

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-2 ~]# ipa service-add HTTP/$(hostname)
----------------------------------------------------
Added service "HTTP/rhel7-2.example.com@EXAMPLE.COM"
----------------------------------------------------
  Principal name: HTTP/rhel7-2.example.com@EXAMPLE.COM
  Principal alias: HTTP/rhel7-2.example.com@EXAMPLE.COM
  Managed by: rhel7-2.example.com

[root@rhel7-2 ~]# ipa-getcert request -f /etc/pki/tls/certs/server.pem \
>     -k /etc/pki/tls/private/server.key \
>     -K HTTP/$(hostname)
New signing request "20160726200450" added.

[root@rhel7-2 ~]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname)
Keytab successfully retrieved and stored in: /etc/http.keytab

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateFile\).*$!\1 /etc/pki/tls/certs/server.pem!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i 's!^\(SSLCertificateKeyFile\).*$!\1 /etc/pki/tls/private/server.key!' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# sed -i '/#SSLCACertificateFile/ a SSLCACertificateFile /etc/ipa/ca.crt' /etc/httpd/conf.d/ssl.conf

[root@rhel7-2 ~]# systemctl restart httpd


################ Setup User ########################

[root@rhel7-2 ~]# echo test|ipa user-add bob --first=bob --last=belcher --password
----------------
Added user "bob"
----------------
  User login: bob
  First name: bob
  Last name: belcher
  Full name: bob belcher
  Display name: bob belcher
  Initials: bb
  Home directory: /home/bob
  GECOS: bob belcher
  Login shell: /bin/sh
  Principal name: bob@EXAMPLE.COM
  Principal alias: bob@EXAMPLE.COM
  Email address: bob@example.com
  UID: 973200001
  GID: 973200001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# echo -e "test\nSecret123\nSecret123\n" | kinit bob
Password for bob@EXAMPLE.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-2 ~]# kdestroy -A

[root@rhel7-2 ~]# echo Secret123|kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-2 ~]# ipa user-mod bob --user-auth-type=otp
-------------------
Modified user "bob"
-------------------
  User login: bob
  First name: bob
  Last name: belcher
  Home directory: /home/bob
  Login shell: /bin/sh
  Principal name: bob@EXAMPLE.COM
  Principal alias: bob@EXAMPLE.COM
  Email address: bob@example.com
  UID: 973200001
  GID: 973200001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-2 ~]# ipa otptoken-add --type=totp --owner=bob bobs_token
ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal.
----------------------------
Added OTP token "bobs_token"
----------------------------
  Unique ID: bobs_token
  Type: TOTP
  Owner: bob
  Key: gKrUt0+ZfhhuGHmjpBRVNOVkYmU=
  Algorithm: sha1
  Digits: 6
  Clock offset: 0
  Clock interval: 30
  URI: otpauth://totp/bob@EXAMPLE.COM:bobs_token?digits=6&secret=QCVNJN2PTF7BQ3QYPGR2IFCVGTSWIYTF&period=30&algorithm=SHA1&issuer=bob%40EXAMPLE.COM

....qrcode....

# get token code from FreeOTP using qrcode to setup token on phone

[root@rhel7-2 ~]# curl -u bob:Secret123 https://$(hostname)/app1/index.html

FAIL

[root@rhel7-2 ~]# curl -u bob:Secret123590194 https://$(hostname)/app1/index.html

PASS
Comment 12 Jan Pazdziora 2017-10-31 05:01:51 EDT
Can this bugzilla be CLOSED? It was shipped in 7.2.z and there is newer version in 7.4.0 which contains the fix ...

Note You need to log in before you can comment on or make changes to this bug.