Bug 219916 - [PATCH] RHN Satellite and pam hangs when accounts have password expired.
Summary: [PATCH] RHN Satellite and pam hangs when accounts have password expired.
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 410
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jesus M. Rodriguez
QA Contact: wes hayutin
: 213358 (view as bug list)
Depends On:
Blocks: 173427 221611
TreeView+ depends on / blocked
Reported: 2006-12-16 11:17 UTC by Jose Plans
Modified: 2009-02-19 16:37 UTC (History)
3 users (show)

Fixed In Version: sat500
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-26 03:08:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch. (2.45 KB, patch)
2006-12-16 11:17 UTC, Jose Plans
no flags Details | Diff
jpam-0.4-pam_conv.patch (3.88 KB, patch)
2006-12-17 00:31 UTC, Jose Plans
no flags Details | Diff
jpam-0.4-pam_conv.patch [small fix] (3.89 KB, patch)
2006-12-17 13:10 UTC, Jose Plans
no flags Details | Diff
pam_conv fixing typo. (3.92 KB, patch)
2006-12-19 01:07 UTC, Jose Plans
no flags Details | Diff
Test case (601 bytes, patch)
2007-03-29 14:52 UTC, Jose Plans
no flags Details | Diff

Description Jose Plans 2006-12-16 11:17:16 UTC
Description of problem:
If Satellite is using pam authentication, if in the DS or user database the
password is marked as expired, the threads will just hang or segfault with
messages like :

From catalina.out:
2006-12-15 06:18:23,301 [TP-Processor8] WARN 
com.redhat.rhn.frontend.servlets.ContextFilter - timezone still null
free(): invalid pointer 0xb75b7400!
2006-12-15 06:18:23,316 [TP-Processor8] WARN 
com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user User
jpam_test (id 3, org_id 1) failed with error User account has expired.

After digging, we found out that the PAM_conv function used in jpam (even
upstream) was extremelly weak not handling any style messages from PAM. 

Following two builds of jpam, we manage to fix the problem which was : if we get
PAM_ERROR_MSG or PAM_TEXT_INFO, then notify and adapt strings.

Version-Release number of selected component (if applicable):
all of the jpam available.

How reproducible:

Steps to Reproduce:
1. Setup a pam auth.
2. Expire the password
3. See it hanging when accessing with the account.
Actual results:

Expected results:
No Hangs.

Additional info:
Patch tested and in production fixing the problem.
We will request a hotfix soon next week, please roll a new package.


Comment 1 Jose Plans 2006-12-16 11:17:16 UTC
Created attachment 143848 [details]

Comment 4 Jose Plans 2006-12-17 00:31:30 UTC
Created attachment 143862 [details]

Ok this one is cleaner and easier to evolve / adapt.
For the case default, there is a need to clean the messages.

First patch fixes the problem, this one fixes it too, but customer has not
tested it yet.

Comment 6 Jose Plans 2006-12-17 13:10:54 UTC
Created attachment 143866 [details]
jpam-0.4-pam_conv.patch [small fix]

Comment 8 Jose Plans 2006-12-19 01:07:07 UTC
Created attachment 143972 [details]
pam_conv fixing typo.

Ok tested with kerberos.

Comment 18 Jesus M. Rodriguez 2007-03-23 21:05:49 UTC
Moving to ON_QA

Comment 19 wes hayutin 2007-03-26 19:11:07 UTC
I probably need some assistance with PAM... 
I keep getting 

Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]: authentication failure;
logname= uid=91 euid=91 tty= ruser= rhost=  user=testLogin
Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]:  ERROR 0:Permission denied

Comment 21 Jose Plans 2007-03-29 14:50:13 UTC
[root@fjs-0-13 jpam-test]# export
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:19 EDT 2007
[root@fjs-0-13 jpam-test]# java SimplePam
Loging start
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:28 EDT 2007
[root@fjs-0-13 jpam-test]# rpm -q jpam

Comment 22 Jose Plans 2007-03-29 14:52:27 UTC
Created attachment 151202 [details]
Test case

Comment 23 Jose Plans 2007-03-29 16:04:30 UTC
  Ok network authentication works perfectly - however you need to gain root or
cap_sys_admin priviledges to open/read /etc/shadow, hence you get EPERM.
  Checking the documentation it is said that the PAM authentication is meant to
be for networking db's such as LDAP, NIS, Kerberos.

Comment 25 wes hayutin 2007-04-10 13:22:47 UTC
waiting for webqa to come back up.. I'd rather not bustificate our only working
sat on build 20

Comment 26 wes hayutin 2007-04-11 17:17:02 UTC
pam and rhn are working together...

Comment 28 Jose Plans 2007-04-18 13:02:55 UTC
Ok patch sent and committed upstream for JPam 1.0.
* http://jpam.sourceforge.net/changes-report.html#1.0

Comment 30 Brandon Perkins 2007-06-26 03:08:30 UTC
Closed for Satellite 500 Release.

Comment 32 Clifford Perry 2009-02-19 16:37:37 UTC
*** Bug 213358 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.