Bug 1663445 - nscd when running results in pam module getting garbage value for password - #010#012#015#177INCORRECT
Summary: nscd when running results in pam module getting garbage value for password - ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.7
Hardware: Unspecified
OS: Other
unspecified
high
Target Milestone: rc
: ---
Assignee: glibc team
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-04 11:21 UTC by Hareesh Joshi
Modified: 2019-01-15 17:35 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-15 17:35:23 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Hareesh Joshi 2019-01-04 11:21:12 UTC
Description of problem:

I've implemented a PAM module to authenticate non OS users via SSH. 
When a non OS user tries to login, the PAM module kicks in and authenticates the user based on the logic that I've written. 
The username is read from the SSH prompt and password is also read from the same prompt. 
This works fine until I install/start nscd service. 

When the nscd service is running, the password that the PAM module tries to fetch from the ssh prompt turns out to be #010#012#015#177INCORRECT always.
Hence the login fails as the user entered password in ignored. 

But the OS user logins like root etc, work fine. 

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1. Implement a PAM module to authenticate non-os-user like "ApplicationAdmin" with username and password
2. In the PAM module log the username and password received using pam_syslog
3. Install start nscd 
4. Try to login as "ApplicationAdmin"/<urpassword>
5. With the help of log in step 2, you can see that <urpassword> is not what you expect it to be. It will be #010#012#015#177INCORRECT

Actual results:
User should be able to login if the "ApplicationAdmin"/<urpassword> are correct.

Expected results:
User fails to login even if the credentials are right.

Additional info:
UsePAM in sshd_conf is Yes
/etc/nsswitch.conf has is as expected.

Comment 2 Florian Weimer 2019-01-04 11:37:14 UTC
Can you reproduce this issue just with Red Hat Enterprise Linux system components?  Thanks.

Comment 3 Hareesh Joshi 2019-01-04 11:57:54 UTC
None are non RHEL components. 
Should I disable the PAM implementation?

Comment 4 Joseph Kachuck 2019-01-04 14:39:05 UTC
Hello Hareesh,
Are you able to do this on RHEL 7 or RHEL 8?
Which PAM module are you implementing?

Have you been able to do this previously?

If you are looking for steps on how to complete this task. Please open a support case on access.redhat.com.
If you are stating this is a bug. Please confirm all steps/commands entered to recreate this issue.

Thank You
Joe Kachuck

Comment 5 Hareesh Joshi 2019-01-04 16:12:23 UTC
Hi Joe,

Thanks for looking into this.
I'm using CentOS6.7 which is based on RHEL. I've implemented sshd pam module. 

I didn't have any problem with this module until I installed nscd service. 

I'm stating that this is a defect with nscd service which is interfering with the password read operation of pam module.
I've listed the steps above on how to reproduce the issue. The following more detailed steps might help you better - 

1. Implement a pam module say, pam_myapp.c which provides implementation for pam_sm_authenticate, pam_sm_acct_mgmt.
2. Deploy the module in /lib64/security as a shared object say - pam_myapp.so
3. Update the /etc/pam.d/sshd config file to include pam_myapp.so under auth, account, password and session module interfaces
4. Try to login with say, "ApplicationAdmin" as the username and password say "LetMeIn". Not that, ApplicationAdmin is not an OS user, i.e., password/shadow files have
   no idea about this user. At this point, pam_myapp kicks in and authenticates the user based on the username/password provided. 
5. This works fine as long as the username is "ApplicationAdmin" and password in "LetMeIn". 
6. If the user tries to login as say, root, pam_myapp authentication fails and then password-auth kicks in and regular sshd login continues. 
7. Now install and start nscd service 
8. Attempt to login as ApplicationAdmin/LetMeIn via ssh. The login fails.
9. Enabled logs in the pam module to see if username and password are passed appropriately to the pam module. I see that password passed is #010#012#015#177INCORRECT instead of LetMeIn.

Hence pam_myapp fails to authenticate the user even though the user provided proper creds. 

If I stop nscd service or disable password caching in nscd (using /etc/nscd.conf) the password is passed appropriately to the pam module.

Comment 6 Joseph Kachuck 2019-01-04 17:28:49 UTC
Hello Hareesh,
Are you able to recreate this issue on RHEL 7 or 8?
CentOS while based on RHEL is not a Red Hat supported release.

Thank You
Joe Kachuckhareesh.joshi@hpe.com

Comment 7 Hareesh Joshi 2019-01-04 17:37:40 UTC
Hi Joe,

Yeah, I understand you on CentOS aspect. 
While I haven't tried on RHEL 7 or 8, I'm hoping that glibc team would look into this issue as to why nscd is interfering with pam.

Comment 8 Carlos O'Donell 2019-01-04 18:38:32 UTC
(In reply to Hareesh Joshi from comment #7)
> I'm hoping that glibc team would look
> into this issue as to why nscd is interfering with pam.

I do not think this is nscd.

This OpenSSH developer list post suggests you are running into an OpenSSH issue:
"Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3"
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-March/032283.html

You need an NSS service provider to provide the "Identity" information for the user.

Please tell me if that helps.

Comment 9 Hareesh Joshi 2019-01-04 19:22:19 UTC
Yes Carlos, I did come across the link you quoted. 
And as I mentioned in the defect description earlier, I do have nsswitch.conf modified appropriately.

Here's the excerpt - 

  passwd:     files myapp
  shadow:     files 
  group:      files


>>I do not think this is nscd. 
  Curious to know - why does it work perfectly fine on disabling nscd service. 

>>You need an NSS service provider to provide the "Identity" information for the user.
  I think passwd deals with Identity. Should I have shadow field modified as well?


Thank you for looking into this.

Comment 10 Carlos O'Donell 2019-01-04 19:29:14 UTC
(In reply to Hareesh Joshi from comment #9)
> Yes Carlos, I did come across the link you quoted. 
> And as I mentioned in the defect description earlier, I do have
> nsswitch.conf modified appropriately.
> 
> Here's the excerpt - 
> 
>   passwd:     files myapp
>   shadow:     files 
>   group:      files

That doesn't include gid, and so fails to provide a complete identity.

> >>I do not think this is nscd. 
>   Curious to know - why does it work perfectly fine on disabling nscd
> service. 

I don't know. You would need to do a root cause analysis.

When you don't use nscd the NSS call is made by the process itself and so the credentials of the process might be used.

In the case of nscd the process is isolated and hardened and so is distinct from the process requesting the information.

This difference might matter.

> >>You need an NSS service provider to provide the "Identity" information for the user.
>   I think passwd deals with Identity. Should I have shadow field modified as
> well?

I would expect passwd, shadow, and group all need to be handled or you will have odd behaviour from applications that are using the normative APIs to lookup user information.

Comment 11 Carlos O'Donell 2019-01-15 17:35:23 UTC
Given that this is not a glibc issue I'm closing this as CLOSED/NOTABUG. Thank you for submitting the bug. Please reopen if you complete a root cause analysis and find a defect in the glibc component.


Note You need to log in before you can comment on or make changes to this bug.