Bug 219916 - [PATCH] RHN Satellite and pam hangs when accounts have password expired.
[PATCH] RHN Satellite and pam hangs when accounts have password expired.
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Jesus M. Rodriguez
wes hayutin
: 213358 (view as bug list)
Depends On:
Blocks: 173427 221611
  Show dependency treegraph
Reported: 2006-12-16 06:17 EST by Jose Plans
Modified: 2009-02-19 11:37 EST (History)
3 users (show)

See Also:
Fixed In Version: sat500
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-25 23:08:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch. (2.45 KB, patch)
2006-12-16 06:17 EST, Jose Plans
no flags Details | Diff
jpam-0.4-pam_conv.patch (3.88 KB, patch)
2006-12-16 19:31 EST, Jose Plans
no flags Details | Diff
jpam-0.4-pam_conv.patch [small fix] (3.89 KB, patch)
2006-12-17 08:10 EST, Jose Plans
no flags Details | Diff
pam_conv fixing typo. (3.92 KB, patch)
2006-12-18 20:07 EST, Jose Plans
no flags Details | Diff
Test case (601 bytes, patch)
2007-03-29 10:52 EDT, Jose Plans
no flags Details | Diff

  None (edit)
Description Jose Plans 2006-12-16 06:17:16 EST
Description of problem:
If Satellite is using pam authentication, if in the DS or user database the
password is marked as expired, the threads will just hang or segfault with
messages like :

From catalina.out:
2006-12-15 06:18:23,301 [TP-Processor8] WARN 
com.redhat.rhn.frontend.servlets.ContextFilter - timezone still null
free(): invalid pointer 0xb75b7400!
2006-12-15 06:18:23,316 [TP-Processor8] WARN 
com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user User
jpam_test (id 3, org_id 1) failed with error User account has expired.

After digging, we found out that the PAM_conv function used in jpam (even
upstream) was extremelly weak not handling any style messages from PAM. 

Following two builds of jpam, we manage to fix the problem which was : if we get
PAM_ERROR_MSG or PAM_TEXT_INFO, then notify and adapt strings.

Version-Release number of selected component (if applicable):
all of the jpam available.

How reproducible:

Steps to Reproduce:
1. Setup a pam auth.
2. Expire the password
3. See it hanging when accessing with the account.
Actual results:

Expected results:
No Hangs.

Additional info:
Patch tested and in production fixing the problem.
We will request a hotfix soon next week, please roll a new package.

Comment 1 Jose Plans 2006-12-16 06:17:16 EST
Created attachment 143848 [details]
Comment 4 Jose Plans 2006-12-16 19:31:30 EST
Created attachment 143862 [details]

Ok this one is cleaner and easier to evolve / adapt.
For the case default, there is a need to clean the messages.

First patch fixes the problem, this one fixes it too, but customer has not
tested it yet.
Comment 6 Jose Plans 2006-12-17 08:10:54 EST
Created attachment 143866 [details]
jpam-0.4-pam_conv.patch [small fix]
Comment 8 Jose Plans 2006-12-18 20:07:07 EST
Created attachment 143972 [details]
pam_conv fixing typo.

Ok tested with kerberos.
Comment 18 Jesus M. Rodriguez 2007-03-23 17:05:49 EDT
Moving to ON_QA
Comment 19 wes hayutin 2007-03-26 15:11:07 EDT
I probably need some assistance with PAM... 
I keep getting 

Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]: authentication failure;
logname= uid=91 euid=91 tty= ruser= rhost=  user=testLogin
Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]:  ERROR 0:Permission denied

Comment 21 Jose Plans 2007-03-29 10:50:13 EDT
[root@fjs-0-13 jpam-test]# export
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:19 EDT 2007
[root@fjs-0-13 jpam-test]# java SimplePam
Loging start
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:28 EDT 2007
[root@fjs-0-13 jpam-test]# rpm -q jpam
Comment 22 Jose Plans 2007-03-29 10:52:27 EDT
Created attachment 151202 [details]
Test case
Comment 23 Jose Plans 2007-03-29 12:04:30 EDT
  Ok network authentication works perfectly - however you need to gain root or
cap_sys_admin priviledges to open/read /etc/shadow, hence you get EPERM.
  Checking the documentation it is said that the PAM authentication is meant to
be for networking db's such as LDAP, NIS, Kerberos.
Comment 25 wes hayutin 2007-04-10 09:22:47 EDT
waiting for webqa to come back up.. I'd rather not bustificate our only working
sat on build 20
Comment 26 wes hayutin 2007-04-11 13:17:02 EDT
pam and rhn are working together...
Comment 28 Jose Plans 2007-04-18 09:02:55 EDT
Ok patch sent and committed upstream for JPam 1.0.
* http://jpam.sourceforge.net/changes-report.html#1.0
Comment 30 Brandon Perkins 2007-06-25 23:08:30 EDT
Closed for Satellite 500 Release.
Comment 32 Clifford Perry 2009-02-19 11:37:37 EST
*** Bug 213358 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.