2103904 – pam_radius isn't thread-safe

Bug 2103904 - pam_radius isn't thread-safe

Summary: pam_radius isn't thread-safe

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	pam_radius
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Iker Pedrosa
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-05 08:49 UTC by Iker Pedrosa
Modified:	2023-10-31 09:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pam_radius-2.0.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-14 02:07:12 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Iker Pedrosa 2022-07-05 08:49:46 UTC

Description of problem:
The current version of pam_radius shipped in EPEL8 isn't thread-safe, and this is affecting the user authentication times. The user authentication requests need to be serialized, thus causing high etimes when may users try to authenticate at the same time.


Version-Release number of selected component (if applicable):
pam_radius-1.4.0-15.el8


How reproducible:
Authenticate many users at the same time.


Actual results:
Users can wait several minutes to get the authentication processed.


Expected results:
Users should wait at most several seconds.


Additional info:
Upstream already fixed the problem for pam_radius-2.0.0, thus the solution involves rebasing the package.

Comment 1 Fedora Update System 2022-07-05 09:30:47 UTC

FEDORA-EPEL-2022-b0c25deca8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-b0c25deca8

Comment 2 Fedora Update System 2022-07-06 02:32:28 UTC

FEDORA-EPEL-2022-b0c25deca8 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-b0c25deca8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2022-07-14 02:07:12 UTC

FEDORA-EPEL-2022-b0c25deca8 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Muzi 2023-10-31 09:26:51 UTC

Description of problem:
The current version of pam_radius shipped in EPEL8 and EPEL9 isn't working in MFA (2FA) mode, if we bypass 2FA/linux auth then only radius auth work, but if we include both then it not works and password prompt repeating again and again and sending requests to radius server, as the first attempt of radius password is successful but 2nd password prompt for OS password not successful and they send it again to radius server, for example see below

ssh infra.nabil.x.x

password (enter radius password) --> successful auth as per radius logs.
password (enter OS password) --> failed due to the request send again to radius server instead of local auth

Here is the debug logs of pam.d/sshd

Oct 31 02:37:28 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Got user name infra.nabil
Oct 31 02:37:28 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Sending RADIUS request code 1
Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0.
Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: Got RADIUS response code 2
Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_radius_auth: authentication succeeded
Oct 31 02:37:54 Oracle-Linux-9 sshd[3789900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.50.3.117 user=infra.nabil
Oct 31 02:37:56 Oracle-Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117
Oct 31 02:37:56 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Got user name infra.nabil
Oct 31 02:37:56 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: ignore last_pass, force_prompt set
Oct 31 02:38:24 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Sending RADIUS request code 1
Oct 31 02:38:24 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: DEBUG: get_ipaddr(10.50.1.1) returned 0.
Oct 31 02:38:25 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: Got RADIUS response code 3
Oct 31 02:38:25 Oracle-Linux-9 sshd[3792074]: pam_radius_auth: authentication failed
Oct 31 02:38:27 Oracle-Linux-9 sshd[3789893]: error: PAM: Authentication failure for infra.nabil from 10.50.3.117

Version-Release number of selected component (if applicable):
pam_radius-2.0.0-3.el9.x86_64


How reproducible:
install latest version of pam_radius and setup 2FA for ssh user and setup pam.d/sshd as below
#%PAM-1.0
auth       required     pam_radius_auth.so debug
auth       substack     password-auth debug
auth       include      postlogin debug
account    required     pam_sepermit.so debug
account    required     pam_nologin.so debug
account    include      password-auth debug
password   include      password-auth debug

setup local user in OS with password and enable password auth enabled and challenge response enabled in ssh conf, and restart sshd service.

Expected results:
Users should be login.


Additional info:
same thing working fine on pam_radius-1.4.0-15 on both EPEL8 and EPEL9, but after upgrade to version 2, it wont work as expected.

Note You need to log in before you can comment on or make changes to this bug.