Pedro Fortuny Ayuso | 2 Jun 17:09 2010
Picon

Trouble with crypt(3) in pam module.

Hi,

I simply do not get it... crypt(3) crashes in a PAM module,
raising a segfault, but it does not in a 'standalone version'
of the module.

The code below (which is the minimal I have been able to squeeze 
it into) segfaults if run as a pam module. It does not do so 
if run standalone (adding the main() and compiling it as an executable).

Any ideas, pointers, misunderstandings on my side?

I can run other libraries (namely OpenSSL) without problems, although
BIO_free_all() also segfaulted...

This happens in two systems at least:

Ubuntu-9, 2.6.24-24-generic #1 SMP, x86_64
Fedora-13, 2.6.33.3-85.fc13.x86_64 #1 SMP

It seems to be related to the 64bit thing, but I am not that
sure. I am copying the error messages:

On the Ubuntu system:
Jun  2 17:06:48 jorge-desktop kernel: [109318.066314] sshd[10318]: segfault at 5e6775f0 rip
7ff45bb900e0 rsp 7fff6644e658 error 4

On the Fedora system:
Jun  2 04:40:42 fedora13 sibyl: Entered module BOGUS
Jun  2 04:40:42 fedora13 sibyl: I can still log after crypt'ing
(Continue reading)

Eric Durand | 4 Jun 17:19 2010
Picon

PAM 1.1.1 compilation and pam_tty_audit module

Hello,

I've jusy compiled the last version 1.1.1 and the pam_tty_audit.so is not producted. Probably I do miss something. Even the .lo is not compiled in the module/pam_tty_audit directory.

Any idea ?

Regards

JF

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Ido Levy | 5 Jun 16:24 2010

Check out my photos on Facebook

facebook

Check out my photos on Facebook


Hi Pluggable,

I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile.

Thanks,
Ido

To sign up for Facebook, follow the link below:
http://www.facebook.com/p.php?i=574678962&k=5XAZ5V54WT61WGGASDX32USTVRGDW54&r
See who else has invited you to Facebook:
Dudi Nurkifli
649 friends
30 photos
沈志玥
63 friends
Georgia Meniou
832 friends
4 photos
Estudio Peru
108 friends
Tiendas Peru
498 friends
5 photos
Other people you may know on Facebook:
Manish Kochar
Cat Samll
陳盈君
李隆稟
David Dorgan
Donald Teed
Acadia
Keisha Korb
Julian Bui
UVA
Alastair Neil
George Mason

Already have an account? Add this email address to your account here.
pam-list <at> redhat.com was invited to join Facebook by Ido Levy. If you do not wish to receive this type of email from Facebook in the future, please click here to unsubscribe.
Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Anthony Iliopoulos | 5 Jun 21:01 2010

Re: Trouble with crypt(3) in pam module.

Pedro,

On Wed, Jun 02, 2010 at 05:09:39PM +0200, Pedro Fortuny Ayuso wrote:
> Hi,
> 
> I simply do not get it... crypt(3) crashes in a PAM module,
> raising a segfault, but it does not in a 'standalone version'
> of the module.
> 
> The code below (which is the minimal I have been able to squeeze 
> it into) segfaults if run as a pam module. It does not do so 
> if run standalone (adding the main() and compiling it as an executable).
> 
> Any ideas, pointers, misunderstandings on my side?
> 
> I can run other libraries (namely OpenSSL) without problems, although
> BIO_free_all() also segfaulted...
> 
> This happens in two systems at least:
> 
> Ubuntu-9, 2.6.24-24-generic #1 SMP, x86_64
> Fedora-13, 2.6.33.3-85.fc13.x86_64 #1 SMP
> 
> It seems to be related to the 64bit thing, but I am not that
> sure. I am copying the error messages:
> 
> On the Ubuntu system:
> Jun  2 17:06:48 jorge-desktop kernel: [109318.066314] sshd[10318]: segfault at 5e6775f0 rip
7ff45bb900e0 rsp 7fff6644e658 error 4
> 
> On the Fedora system:
> Jun  2 04:40:42 fedora13 sibyl: Entered module BOGUS
> Jun  2 04:40:42 fedora13 sibyl: I can still log after crypt'ing
> Jun  2 04:40:42 fedora13 kernel: sshd[1855]: segfault at ffffffffca7c4be0 ip 00007fd8c68fb007 sp
00007fff4efb8b50 error 4 in libc-2.12.so[7fd8c68b3000+175000]

Looks like your calling your pam module through sshd. Note that
sshd runs pam authentication in a thread context. That might be
attributing to the crash your are seeing when the module is not
called as a standalone program.

Some other things you might want to pay attention to is, how you
are compiling the pam module (statically/dynamically and the various
linker options).

Also, did you try to isolate the fault ? e.g. does it still segfault
if you remove the crypt call ? What about removing the syslog
output of the crypt result array ? You can always make an attempt
to see if crypt_r (the re-entrant version of crypt) would work for
you.

Regards,
Anthony

> /* notice that one cannot assume Linux has OpenPAM implemented */
> 
> #include <pwd.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <unistd.h>
> #include <syslog.h>
> 
> #include <security/pam_modules.h>
> #include <security/pam_appl.h>
> 
> 
> int
> pam_sm_authenticate(pam_handle_t *pamh, int flags,
> 		    int argc, const char *argv[])
> {
> 	FILE *log;
> 	/* options */
> 
> 	openlog( "sibyl", LOG_CONS, LOG_AUTH);
> 	void syslog(int priority, const char *format, ...);
> 
> 	syslog(LOG_NOTICE, "Entered module BOGUS");
>         char *c = crypt("petete", "$1$cW0uis36$");
>         syslog(LOG_NOTICE, "I can still log after crypt'ing");
>         syslog(LOG_NOTICE, "Encrypted [%s]", c);
>         return(PAM_AUTH_ERR);
> }
> 
> /* uncomment for a standalone version
> int main(){
> 	pam_sm_authenticate(NULL, 0, 0, NULL);
> 	return(0);
> } */
Pedro Fortuny Ayuso | 6 Jun 11:24 2010
Picon

Re: Trouble with crypt(3) in pam module.

Anthony,


On Sat, Jun 5, 2010 at 9:01 PM, Anthony Iliopoulos <ailiop <at> lsu.edu> wrote:
Pedro,

On Wed, Jun 02, 2010 at 05:09:39PM +0200, Pedro Fortuny Ayuso wrote:
> Hi,
>
> I simply do not get it... crypt(3) crashes in a PAM module,
> raising a segfault, but it does not in a 'standalone version'
> of the module.
>
> The code below (which is the minimal I have been able to squeeze
> it into) segfaults if run as a pam module. It does not do so
> if run standalone (adding the main() and compiling it as an executable).
>
> Any ideas, pointers, misunderstandings on my side?
>
> I can run other libraries (namely OpenSSL) without problems, although
> BIO_free_all() also segfaulted...
>
> This happens in two systems at least:
>
> Ubuntu-9, 2.6.24-24-generic #1 SMP, x86_64
> Fedora-13, 2.6.33.3-85.fc13.x86_64 #1 SMP
>
> It seems to be related to the 64bit thing, but I am not that
> sure. I am copying the error messages:
>
> On the Ubuntu system:
> Jun  2 17:06:48 jorge-desktop kernel: [109318.066314] sshd[10318]: segfault at 5e6775f0 rip 7ff45bb900e0 rsp 7fff6644e658 error 4
>
> On the Fedora system:
> Jun  2 04:40:42 fedora13 sibyl: Entered module BOGUS
> Jun  2 04:40:42 fedora13 sibyl: I can still log after crypt'ing
> Jun  2 04:40:42 fedora13 kernel: sshd[1855]: segfault at ffffffffca7c4be0 ip 00007fd8c68fb007 sp 00007fff4efb8b50 error 4 in libc-2.12.so[7fd8c68b3000+175000]

Looks like your calling your pam module through sshd. Note that
sshd runs pam authentication in a thread context. That might be
attributing to the crash your are seeing when the module is not
called as a standalone program.

Some other things you might want to pay attention to is, how you
are compiling the pam module (statically/dynamically and the various
linker options).

Also, did you try to isolate the fault ? e.g. does it still segfault
if you remove the crypt call ? What about removing the syslog
output of the crypt result array ? You can always make an attempt
to see if crypt_r (the re-entrant version of crypt) would work for
you.

Regards,
Anthony



Yes, I did isolate the fault: it is the crypt() call for sure. Most probably it is the
sshd thread context thing you mention (it is the only way I have tried to run it so far).
As a matter of fact I tried to use also OpenSSL's BIOs and got another
segfault when calling BIO_free() (all this in through sshd), which makes
me think the thread context is the key to the problem.

I shall try and use the crypt_r version. However, could you point me
to some place where this thread context of sshd is explained? Is there a way
to replicate crypt() using OpenSSL?

Thanks a lot,

Pedro.


 
> /* notice that one cannot assume Linux has OpenPAM implemented */
>
> #include <pwd.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <unistd.h>
> #include <syslog.h>
>
> #include <security/pam_modules.h>
> #include <security/pam_appl.h>
>
>
> int
> pam_sm_authenticate(pam_handle_t *pamh, int flags,
>                   int argc, const char *argv[])
> {
>       FILE *log;
>       /* options */
>
>       openlog( "sibyl", LOG_CONS, LOG_AUTH);
>       void syslog(int priority, const char *format, ...);
>
>       syslog(LOG_NOTICE, "Entered module BOGUS");
>         char *c = crypt("petete", "$1$cW0uis36$");
>         syslog(LOG_NOTICE, "I can still log after crypt'ing");
>         syslog(LOG_NOTICE, "Encrypted [%s]", c);
>         return(PAM_AUTH_ERR);
> }
>
> /* uncomment for a standalone version
> int main(){
>       pam_sm_authenticate(NULL, 0, 0, NULL);
>       return(0);
> } */

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list



--
Pedro Fortuny Ayuso
Dpto de Matemáticas
Escuela Univ. de Ingeniería Técnica Industrial
Campus Universitario de Gijón (Viesques)
33203 Gijón (Asturias)

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Anthony Iliopoulos | 6 Jun 15:19 2010

Re: Trouble with crypt(3) in pam module.

Pedro,

On Sun, Jun 06, 2010 at 11:24:50AM +0200, Pedro Fortuny Ayuso wrote:
> Anthony,
> 
> Yes, I did isolate the fault: it is the crypt() call for sure. Most probably
> it is the
> sshd thread context thing you mention (it is the only way I have tried to
> run it so far).
> As a matter of fact I tried to use also OpenSSL's BIOs and got another
> segfault when calling BIO_free() (all this in through sshd), which makes
> me think the thread context is the key to the problem.
> 
> I shall try and use the crypt_r version. However, could you point me
> to some place where this thread context of sshd is explained? Is there a way

I don't believe there's any better explanation other than the source code,
see auth-pam.c in any openssh portable release tree.

> to replicate crypt() using OpenSSL?

There are several ways to replicate crypt() via OpenSSL, see
http://www.openssl.org/docs/crypto/des.html, I assume DES_fcrypt
is probably what you need.

> Thanks a lot,
> 
> Pedro.

Hope that helps,

Regards,
Anthony
Pedro Fortuny Ayuso | 6 Jun 18:57 2010
Picon

Re: Trouble with crypt(3) in pam module.

Anthony,


On Sun, Jun 6, 2010 at 3:19 PM, Anthony Iliopoulos <ailiop <at> lsu.edu> wrote:
Pedro,

On Sun, Jun 06, 2010 at 11:24:50AM +0200, Pedro Fortuny Ayuso wrote:
> Anthony,
>
> Yes, I did isolate the fault: it is the crypt() call for sure. Most probably
> it is the
> sshd thread context thing you mention (it is the only way I have tried to
> run it so far).
> As a matter of fact I tried to use also OpenSSL's BIOs and got another
> segfault when calling BIO_free() (all this in through sshd), which makes
> me think the thread context is the key to the problem.
>
> I shall try and use the crypt_r version. However, could you point me
> to some place where this thread context of sshd is explained? Is there a way

I don't believe there's any better explanation other than the source code,
see auth-pam.c in any openssh portable release tree.

> to replicate crypt() using OpenSSL?

There are several ways to replicate crypt() via OpenSSL, see
http://www.openssl.org/docs/crypto/des.html, I assume DES_fcrypt
is probably what you need.

> Thanks a lot,
>
> Pedro.

Hope that helps,

Regards,
Anthony

 
Well, it is nice to get this kind of help.

I have just checked the DES_  family's documentation and yes,

==DES_fcrypt: is a fast version of the Unix crypt(3) function.
==(...) This function is thread safe, unlike the normal crypt
(by the way, DES_crypt seems to do the trick as well)

About to read pam-auth.c in detail, but I guess my problems are solved
by now. I'll keep this thread posted anyway, for completeness.

Thanks a lot and all the best,

Pedro.


--
Pedro Fortuny Ayuso
Dpto de Matemáticas
Escuela Univ. de Ingeniería Técnica Industrial
Campus Universitario de Gijón (Viesques)
33203 Gijón (Asturias)

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Thorsten Kukuk | 7 Jun 20:48 2010
Picon

Re: PAM 1.1.1 compilation and pam_tty_audit module

On Fri, Jun 04, Eric Durand wrote:

> Hello,
> 
> I've jusy compiled the last version 1.1.1 and the pam_tty_audit.so is not
> producted. Probably I do miss something. Even the .lo is not compiled in the
> module/pam_tty_audit directory.
> 
> Any idea ?

Look at the configure output. Most likely you don't have
libaudit or it is too old.

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
ben thielsen | 8 Jun 05:58 2010
Picon

pam_unix, pam_ldap, and nss

hi-

i've been experimenting with ldap authentication combined with traditional unix authentication, and
have what appears to be a working configuration - but, in the process, it's raised some questions.  my
testing has been only with sshd for the moment.  at the bottom of the message is my current sshd pam config. 
i've included the various common-* includes in the file as though they were part of it.

i'm specifically wondering about the account section.  using the more basic configuration:

account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
account	[success=1 default=ignore]				pam_ldap.so minimum_uid=1000 debug
account	requisite						pam_deny.so
account	required						pam_permit.so

ldap users were allowed in when i wasn't expecting them to be.  i'm using openldap w/ the nssov overlay and the
nss-pam-ldapd stub libraries.  isolating just the unix module or just the ldap module resulted in each
type working as desired independently, but adding in the unix module circumvented the ldap group
membership requirements.  since this system is also using ldap for nss - getent passwd, group, and shadow
all expose ldap data, my sense was that this was the reason behind this behavior (although i don't quite
understand specifically why).

my approach was to use localuser to identify if the user was local or in ldap, and then if found in ldap, apply
the ldap module first, followed by the unix module only on success.  it seems to work, but feels a bit
convoluted.  is this sane?  how is this typically handled, when nss uses both local files and ldap, and the
pam uses both local and ldap modules with account restrictions coming from the ldap module?  i also wanted
to keep the unix module first in the stack, to minimize delays if the ldap server was not reachable.

in the past i'd have used only localusers and not unix, which would simplify the account stack, but i've been
cautioned previously on the list that doing so would result in things like password expiry not being
honored, etc.

i'd greatly appreciate any criticism, etc. offered on my approach to solving the above, and on the below
config in general.

regards
-ben

# sshd pam config
auth		required				pam_env.so
auth		required				pam_env.so envfile=/etc/default/locale

 <at> include common-auth
### common-auth ###
auth		[success=2 default=ignore]		pam_unix.so nullok_secure
auth		[success=1 default=ignore]		pam_ldap.so use_first_pass minimum_uid=1000 debug
auth		requisite				pam_deny.so
auth		required				pam_permit.so
### end common-auth ###

account		required				pam_nologin.so

 <at> include common-account
### common-account ###
# send directly to unix module if a local user, send to ldap module first if not
account		[success=1 default=ignore]		pam_localuser.so
account		[success=ok default=1]			pam_ldap.so minimum_uid=1000 debug
account		[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
account		requisite				pam_deny.so
account		required				pam_permit.so
### end common-account ###

 <at> include common-session
### common-session ###
session		required				pam_unix.so
session		optional				pam_ldap.so minimum_uid=1000 no_warn debug
session		optional				pam_mkhomedir.so
### end common-session ###

session		optional				pam_motd.so # [1]
session		optional				pam_mail.so standard noenv
session		required				pam_limits.so

 <at> include common-password
### common-password ###
password	requisite				pam_passwdqc.so min=disabled,24,11,7,7
password	[success=2 default=ignore]		pam_unix.so use_authtok try_first_pass sha512 obscure
password	[success=1 default=ignore]		pam_ldap.so use_authtok try_first_pass minimum_uid=1000 debug
password	requisite				pam_deny.so
password	required				pam_permit.so
### end common-password ###
Pedro Fortuny Ayuso | 8 Jun 17:53 2010
Picon

Re: Trouble with crypt(3) in pam module.

Hi,

Don't want to pester, but:

It seems that DES_crypt, DES_fcrypt do not do exactly what GNU's
crypt(3) does when using salts with '$1$', etc... So I have had
to revert to using crypt_r.

I discovered that my Ubuntu DOES have the crypt_r, although it
does not appear in the man pages.

As for OpenSSL, you are right, but this module needs it anyway,
so, as long as the module was portable, DES_fcrypt should be
usable. BUT cf above.

Thanks again,

Pedro.

On Tue, Jun 08, 2010 at 09:50:02AM -0500, Anthony Iliopoulos wrote:
> Rejected by SPF lookup: (recv=llar.net.uniovi.es,
>  send-ip=130.39.6.46) Could not find a valid SPF record
> X-Virus-Scanned: clamav-milter 0.96.1 at relay001.lsu.edu
> X-Virus-Status: Clean
> References: <20100602150939.GY36349 <at> Pera.local>
>  <20100605190156.GM16798 <at> lsu.edu>
>  <AANLkTimwqT57LOrGjplUE2Wl8pMcQ0kggZ1KpJgXKMmb <at> mail.gmail.com>
>  <20100606131943.GO16798 <at> lsu.edu>
>  <AANLkTinL3W6GCCdyl-nGl_aCoPPqkKO88KUkzJbhvWuh <at> mail.gmail.com>
>  <20100606174756.GR16798 <at> lsu.edu> <20100607115146.GD380 <at> Pera.local>
> 
> Hey Pedro,
> 
> On Mon, Jun 07, 2010 at 01:51:48PM +0200, Pedro Fortuny Ayuso wrote:
> > Hi (Anthony),
> > 
> > This is just for completeness.
> 
> I appreciate you letting me know that it does work
> indeed.
> 
> > It has worked using both DES_crypt() and DES_fcrypt (this latter
> > option is the one I shall use).
> > 
> > I prefer using openssl's DES_fcrypt rather than crypt_r
> > because it may be more widespread (I found out an Ubuntu-9
> > does not have crypt_r, and it seems that BSD systems lack
> > it as well).
> 
> That's an interesting observation. I concur that by using
> the openssl library calls, will grant you more portability.
> 
> > Really, thank you VERY much. I was at my wit's end.
> > 
> > I owe you a beer.
> 
> It's my pleasure really, I think we all learn something
> from troubleshooting such issues.
> 
> Regards,
> Anthony

--

-- 
Pedro Fortuny Ayuso
http://pfortuny.net
EUITIG, Campus de Viesques, Gijon
Dpto. de Matematicas
Universidad de Oviedo
fortunypedro <at> uniovi.es

Gmane