Can't build it on FreeBSD 8.2-RELEASE about google-authenticator HOT 13 CLOSED

Comment #1 originally posted by [email protected] on 2011-03-11T21:43:56.000Z:

I don't even think that FreeBSD has support for filesystem user ids. So, we'd probably have to change the effective user id instead. This isn't great, but probably the best we can do.

But we also need a way to detect that this problem exists. I am not sure I really want to go all the way and switch to "autoconf", if I can avoid this extra complication.

Let me see what I can do.

from google-authenticator.

Comment #2 originally posted by [email protected] on 2011-03-11T22:56:05.000Z:

I removed the dependency on setfsuid(). Let me know, if you can now make more progress. I don't have a FreeBSD system to test with, and it is quite possible that there are other dependencies that don't exist on non-Linux systems.

from google-authenticator.

Comment #3 originally posted by denis.shaposhnikov on 2011-03-11T23:08:03.000Z:

Thank you!

Now I have another error:

cc --std=gnu99 -Wall -O2 -g -fPIC -c -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function 'pam_get_item':
pam_google_authenticator_unittest.c:65: error: 'PAM_BAD_ITEM' undeclared (first use in this function)
pam_google_authenticator_unittest.c:65: error: (Each undeclared identifier is reported only once
pam_google_authenticator_unittest.c:65: error: for each function it appears in.)
gmake: *** [pam_google_authenticator_unittest.o] Error 1

from google-authenticator.

Comment #4 originally posted by [email protected] on 2011-03-11T23:43:46.000Z:

What happens if you put the following bit of code somewhere before the line 33 (the one that defined "response"):

#if !defined(PAM_BAD_ITEM) && defined(PAM_SYMBOL_ERR)
// FreeBSD does not know about PAM_BAD_ITEM
#define PAM_BAD_ITEM PAM_SYMBOL_ERR
#endif

I can't promise we can get this code to work on FreeBSD at all, as I still don't know which features are different/missing on FreeBSD. But I can at least try to fix the obvious and easy issues, if you help me test them.

from google-authenticator.

Comment #5 originally posted by denis.shaposhnikov on 2011-03-12T00:02:01.000Z:

I did it, but no changes:

cc --std=gnu99 -Wall -O2 -g -fPIC -c -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function 'pam_get_item':
pam_google_authenticator_unittest.c:70: error: 'PAM_BAD_ITEM' undeclared (first use in this function)
pam_google_authenticator_unittest.c:70: error: (Each undeclared identifier is reported only once
pam_google_authenticator_unittest.c:70: error: for each function it appears in.)
gmake: *** [pam_google_authenticator_unittest.o] Error 1

--- pam_google_authenticator_unittest.c.orig 2011-03-11 15:51:05.000000000 -0800
+++ pam_google_authenticator_unittest.c 2011-03-11 15:51:31.000000000 -0800
@@ -30,6 +30,11 @@
#include "base32.h"
#include "hmac.h"

+#if !defined(PAM_BAD_ITEM) && defined(PAM_SYMBOL_ERR)
+// FreeBSD does not know about PAM_BAD_ITEM
+#define PAM_BAD_ITEM PAM_SYMBOL_ERR
+#endif
+
static char *response = "";

static int conversation(int num_msg, const struct pam_message **msg,

from google-authenticator.

Comment #6 originally posted by [email protected] on 2011-03-12T01:14:20.000Z:

Thank you for helping with this bug. I just checked in a version that should address all the issues that you reported. Please let me know, if there are remaining problems.

from google-authenticator.

Comment #7 originally posted by denis.shaposhnikov on 2011-03-14T18:19:51.000Z:

I've tested the pam module and found it doesn't work. I see next in the log:

sshd(pam_google_authenticator)[61935]: Failed to change user id to "user"
sshd[61935]: in _openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 19

from google-authenticator.

Comment #8 originally posted by [email protected] on 2011-03-14T18:32:12.000Z:

When you write "user", do you mean it literally says "user". Or is this just a placeholder for the actually user name?

In any case, can you please also test with some other PAM enabled applications (e.g. "su"). "sshd" is a particularly tricky test case as it's PAM implementation is difficult to configure. So, we want to make sure you don't run into problems with a misconfigured "sshd" and misdiagnose it as a bug in the Google authenticator.

Once we know the authenticator works fine, we can then try to figure out why "sshd" doesn't work.

If "su" also fails, try to collect as much debug information as possible. Running in inside of "strace" (or the FreeBSD equivalent) would be helpful. You probably have to be "root" to do so.

from google-authenticator.

Comment #9 originally posted by denis.shaposhnikov on 2011-03-14T22:45:35.000Z:

I've configured the module for "login" and tried

sudo ktrace login test_user

In the dump I see lots of info and I think most interesting is next:

96358 login CALL seteuid(0x3e9)
96358 login RET seteuid 0
96358 login CALL geteuid
96358 login RET geteuid 1001/0x3e9
96358 login CALL seteuid(0x3e9)
96358 login RET seteuid -1 errno 1 Operation not permitted

The UID of test_user is 1001.

from google-authenticator.

Comment #10 originally posted by [email protected] on 2011-03-14T22:57:28.000Z:

If you replace the user id management functions with the following code, does that improve things?

static int setuser(int uid) {
#ifdef HAS_SETFSUID
// The semantics for setfsuid() are a little unusual. On success, the
// previous user id is returned. On failure, the current user id is returned.
int old_uid = setfsuid(uid);
if (uid != setfsuid(uid)) {
setfsuid(old_uid);
return -1;
}
#else
int old_uid = geteuid();
if (old_uid != uid && seteuid(uid)) {
return -1;
}
#endif
return old_uid;
}

static int drop_privileges(pam_handle_t *pamh, const char *username, int uid) {
// Try to become the new user. This might be necessary for NFS mounted home
// directories.
int old_uid = setuser(uid);
if (old_uid < 0) {
log_message(LOG_ERR, pamh, "Failed to change user id to "%s"", username);
return -1;
}
return old_uid;
}

from google-authenticator.

Comment #11 originally posted by denis.shaposhnikov on 2011-03-14T23:16:55.000Z:

Now it's better. But I can't authenticate myself. It work if I'm trying to login with one-time code which google-authenticator generated and saved into ~/.google_authenticator, but for verification code it logs "Invalid verification code". May be I wrong configured "Google Authenticator" on my android phone? I've added account "test_user@hostname" and I'm trying to use the code which I see on my android phone, but it doesn't work.

from google-authenticator.

Comment #12 originally posted by [email protected] on 2011-03-14T23:21:45.000Z:

The easiest way to configure the Android application correctly is by scanning the QR code that the "google-authenticator" library generates.

Also, it is crucial that both your computer and your Android have reasonably precise time. The vast majority of cases where I have seen users unable to log in were a result of them having mismatched clocks.

I keep thinking of a good way to output more useful diagnostics information whenever this happens.

from google-authenticator.

Comment #13 originally posted by denis.shaposhnikov on 2011-03-14T23:39:38.000Z:

You are right. I've synced time and now the pam module works excellent. Thank you!

from google-authenticator.