rra / pam-krb5 Goto Github PK

View Code? Open in Web Editor NEW

18.0 18.0 13.0 2.8 MB

PAM module for Kerberos authentication

Home Page: https://www.eyrie.org/~eagle/software/pam-krb5/

License: Other

C 80.72% Shell 2.90% Perl 7.42% Makefile 1.41% M4 7.54%

pam-krb5's People

Contributors

Stargazers

Watchers

Forkers

henryjacques madscientist159 jkdingwall univention spaceone chriscrawfordal jhutz jkbremer michaelmuehle steffen-kiess huckabeec yuethub cschuber

pam-krb5's Issues

debug pam_krb5

Hello,

I can't debug pam_krb5 on my Ubuntu 14.04 64bits.
This is what I get in /var/log/syslog when enabling "debug = true" in krb5.conf

Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): trace logging requested but not supported
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: entry (establish|silent)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): no context found, creating one
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): ignoring low-UID user (0 < 1000)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)
Oct 16 18:17:01 host CRON[6466]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): trace logging requested but not supported
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: entry (delete|silent)
Oct 16 18:17:01 host CRON[6465]: pam_krb5(cron:setcred): pam_sm_setcred: exit (success)

So I'm getting the "trace logging requested but not supported"
In options.c it happens if I don't have the HAVE_KRB5_SET_TRACE_FILENAME defined.
So what do I have to do?

What am I doing wrong?

Thanks in advance!

defer_pwchange not evaluated

Hi, I am unsure if this is the correct place.
I've got a debian system with libpam-heimdal:amd64 4.6-1.22.201403250545 which provides pam_krb5.so.

In my PAM stack I define:

auth     sufficient                         pam_krb5.so use_first_pass defer_pwchange

And I still get prompted for the 'New password: ' if the user password has expired when doing authenticate(). The PAM module returns PAM_AUTH_ERR (7) then instead of SUCCESS.
acct_mgmt() returns SUCCESS after the failed authentication/password update.
It works if the user is a samba4 user but not if the user is a Active Directory user.

Use k5login_directory

If search_k5login is specified, pam_krb5 only looks up .k5login in the user's home directory.
Kerberos allows to specify a k5login_directory, so that the k5login file would be <k5login_directory>/
This allows to authenticate via kerberos and then mount an encrypted home directory.

crash due acces to invalid context->princ pointer after error in pamk5_account

Debugging into crash problem in my local cups server that has pam_krb5 in his pam configuration I found a problem in pam_krb5.
Due to an not yet know issue the krb5_cc_get_principal call in

pam-krb5/module/account.c

Line 83 in ad9e3fe

retval = krb5_cc_get_principal(ctx->context, ctx->cache, &ctx->princ);

is failing.
As the ctx->princ is freed just before this call but not reset to NULL, the member seem's to be left in an invalid state.
In the error handling _pam_free_data is called from pam_end and tries to release ctx->princ again cause a crash.
So I think the ctx->princ should be reset after the free in account.c above.

Regards
Michael

Set a timeout for kerberos login

Sometimes my laptop is not connected to a network when I log in or has some issue with routing where, although it does have a default route, it does not actually have a network connection. These are all issues that are easy to solve once I log in, however, I am frequently left at the lockscreen for upwards of 2 minutes waiting for a kerberos timeout. Can an option be added to time-out kerberos in a more reasonable period of time, like 15 seconds? I'd have to run kinit when I log in anyway when it times out but having to wait 2 minutes is just too long. It does seem to recognize (usually) that I am offline if, for instance, there are no active network interfaces, however, my VPN does not always remove its interface and routes upon server disconnect (which should not cause an issue with something as crucial as a login screen.)

Debugging issue / configuration issue

I am failing to enable the debug mode to get more verbose output why ticket forwarding potentially does not work

I have a elaborated setup description here https://serverfault.com/q/947900/281162

as you see I enable trace, debug and also use rsyslog with *. debug /var/log/debug

neither trace nor debug is working

as you see my configuration works for mod_kerb_auth with apache, also with kinit and so on, so I assume the krb5.conf is fine.

what i wonder about is though, what SPN is required when logging through Pam... for apache mod_kerb_auth it must be HTTP/request-domain

could it be different for Pam krb? I read something about the SPN to be the hostame? does this mean $(hostname - f)@DOMAIN.. how does Pam krb determine the SPN? can I manually set it?

prompt_principal not parsed as pam argument

Version: pam_krb5 4.7 (self built rpm)
OS: Scientific Linux 6

When I set prompt_principal = true in /etc/krb5.conf, I am prompted as expected.

However, when I omit prompt_principal from the config file and set it as a PAM argument I am not prompted. Is there a specific way this argument should be passed in?

content of /etc/pam.d/system-auth (imported by the actual login process)

auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so card_only
auth        optional      pam_krb5.so debug=true    prompt_principal
auth        sufficient    pam_permit.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so

pam_setcred fails when KRB5CCNAME=KEYRING:user:name

Using credential caches of type KEYRING (MIT Kerberos) has several issues:

KEYRING:persistent:uidnumber should work as expected. I didn't test, because standard Debian kernels do not have persistent keyrings.
KEYRING:session:name does not always copy credentials. This issue is IMHO entirely due to some applications calling _pam_open_session and pam_setcred in reversed order and the limitations of pam_keyinit.so (cf. linux-pam/linux-pam#149)
KEYRING:user:name may attach the credentials to the wrong keyring if the PAM application is not currently running with the user's credentials.

The last issue concerns pam_krb5.so. I see several solutions, but I don't know if they are acceptable:

A setreuid()/setgeuid() call before calling krb5_cc_resolve. The module pam_keyinit.so does it without wondering about multi-threading, but the comments in pamk5_setcred tell me this solution would be discarded.
Do the same as above, but using syscalls instead of libc, since they do not synchronize between threads.
Wait for the application to open the user session before copying the credentials.

If you point me in the right direction I might provide a patch.

7 module/basic tests fail on Alpine Linux

I tried to run the tests without a KDC as part of Alpine Linux's pam-krb5 packaging.

7 of the module/basic tests fail. I have posted the log bellow:

~/aports/testing/pam-krb5/src/pam-krb5-4.8/tests $ ./runtests -l TESTS 

Running all tests listed in TESTS.  If any tests fail, run the failing
test program with runtests -o to see more details.

docs/pod................skipped (POD syntax tests normally skipped)
docs/pod-spelling.......skipped (Spelling tests only run for author)
docs/urls...............skipped (Documentation URL tests only run for author)
module/alt-auth.........skipped (Kerberos tests not configured)
module/bad-authtok......skipped (Kerberos tests not configured)
module/basic............FAILED 9, 13-15, 31, 37-38
module/cache............skipped (Kerberos tests not configured)
module/cache-cleanup....skipped (Kerberos tests not configured)
module/expired..........skipped (Kerberos tests not configured)
module/fast.............skipped (Kerberos tests not configured)
module/no-cache.........skipped (Kerberos tests not configured)
module/pam-user.........skipped (Kerberos tests not configured)
module/password.........skipped (Kerberos tests not configured)
module/pkinit...........skipped (PKINIT tests not configured)
module/realm............skipped (Kerberos tests not configured)
module/stacked..........skipped (Kerberos tests not configured)
pam-util/args...........ok   
pam-util/fakepam........ok   
pam-util/logging........ok   
pam-util/options........ok     
pam-util/vector.........ok   
portable/asprintf.......ok   
portable/mkstemp........ok   
portable/snprintf.......ok       
portable/strndup........ok 

Failed Set                 Fail/Total (%) Skip Stat  Failing Tests
-------------------------- -------------- ---- ----  ------------------------
module/basic                  7/114    6%    0    0  9, 13-15, 31, 37-38

Failed 7/1464 tests, 99.52% okay, 15 tests skipped.


~/aports/testing/pam-krb5/src/pam-krb5-4.8/tests $ ./runtests -o module/basic-t
# Starting data/scripts/basic/no-context
ok 1 - status for acct_mgmt
ok 2 - status for setcred(DELETE_CRED)
ok 3 - status for setcred(ESTABLISH_CRED)
ok 4 - status for setcred(REFRESH_CRED)
ok 5 - status for setcred(REINITIALIZE_CRED)
ok 6 - status for open_session
ok 7 - status for close_session
ok 8 - no output
# Starting data/scripts/basic/force-first
# wanted: 7
#   seen: 3
not ok 9 - status for authenticate
ok 10 - status for acct_mgmt
ok 11 - status for open_session
ok 12 - status for close_session
# wanted: 5
#   seen: 3
not ok 13 - output priority 1
# wanted: authentication failure; logname=root uid=1000 euid=1000 tty= ruser= rhost=
#   seen: (user root) parse_name failed: Configuration file does not specify default realm
not ok 14 - output line 1
# unexpected: (5) authentication failure; logname=root uid=1000 euid=1000 tty= ruser= rhost=
not ok 15 - unexpected output lines
# Starting data/scripts/basic/ignore-root-debug
ok 16 - status for authenticate
ok 17 - status for chauthtok(PRELIM_CHECK)
ok 18 - output priority 1
ok 19 - output line 1
ok 20 - output priority 2
ok 21 - output line 2
ok 22 - output priority 3
ok 23 - output line 3
ok 24 - output priority 4
ok 25 - output line 4
ok 26 - output priority 5
ok 27 - output line 5
ok 28 - output priority 6
ok 29 - output line 6
ok 30 - no excess output
# Starting data/scripts/basic/force-first-debug
# wanted: 7
#   seen: 3
not ok 31 - status for authenticate
ok 32 - status for acct_mgmt
ok 33 - status for open_session
ok 34 - status for close_session
ok 35 - output priority 1
ok 36 - output line 1
# wanted: 7
#   seen: 3
not ok 37 - output priority 2
# wanted: (user root) no stored password
#   seen: (user root) parse_name failed: Configuration file does not specify default realm
not ok 38 - output line 2
ok 39 - output priority 3
ok 40 - output line 3
ok 41 - output priority 4
ok 42 - output line 4
ok 43 - output priority 5
ok 44 - output line 5
ok 45 - output priority 6
ok 46 - output line 6
ok 47 - output priority 7
ok 48 - output line 7
ok 49 - output priority 8
ok 50 - output line 8
ok 51 - output priority 9
ok 52 - output line 9
ok 53 - output priority 10
ok 54 - output line 10
ok 55 - output priority 11
ok 56 - output line 11
ok 57 - no excess output
# Starting data/scripts/basic/no-context-debug
ok 58 - status for acct_mgmt
ok 59 - status for setcred(DELETE_CRED)
ok 60 - status for setcred(ESTABLISH_CRED)
ok 61 - status for setcred(REFRESH_CRED)
ok 62 - status for setcred(REINITIALIZE_CRED)
ok 63 - status for open_session
ok 64 - status for close_session
ok 65 - output priority 1
ok 66 - output line 1
ok 67 - output priority 2
ok 68 - output line 2
ok 69 - output priority 3
ok 70 - output line 3
ok 71 - output priority 4
ok 72 - output line 4
ok 73 - output priority 5
ok 74 - output line 5
ok 75 - output priority 6
ok 76 - output line 6
ok 77 - output priority 7
ok 78 - output line 7
ok 79 - output priority 8
ok 80 - output line 8
ok 81 - output priority 9
ok 82 - output line 9
ok 83 - output priority 10
ok 84 - output line 10
ok 85 - output priority 11
ok 86 - output line 11
ok 87 - output priority 12
ok 88 - output line 12
ok 89 - output priority 13
ok 90 - output line 13
ok 91 - output priority 14
ok 92 - output line 14
ok 93 - output priority 15
ok 94 - output line 15
ok 95 - output priority 16
ok 96 - output line 16
ok 97 - output priority 17
ok 98 - output line 17
ok 99 - output priority 18
ok 100 - output line 18
ok 101 - output priority 19
ok 102 - output line 19
ok 103 - output priority 20
ok 104 - output line 20
ok 105 - output priority 21
ok 106 - output line 21
ok 107 - output priority 22
ok 108 - output line 22
ok 109 - output priority 23
ok 110 - output line 23
ok 111 - no excess output
# Starting data/scripts/basic/ignore-root
ok 112 - status for authenticate
ok 113 - status for chauthtok(PRELIM_CHECK)
ok 114 - no output

module not compliant with Linux-PAM documentation

The man pam_end and Linux-PAM app documentation says that:

...... This argument can be logically OR'd
       with PAM_DATA_SILENT to indicate that the module
       should not treat the call too seriously. It is generally used to
       indicate that the current closing of the library is in a
       fork(2)ed process, and that the parent will take care of cleaning
       up things that exist outside of the current process space (files
       etc.).

Based on bug reports and the issue discussed here+, I'd like to suggest the following patch (or something like it) be considered for inclusion in the pam-krb5 module:

diff --git a/module/context.c b/module/context.c
index 9664483..222b70b 100644
--- a/module/context.c
+++ b/module/context.c
@@ -160,10 +160,15 @@ pamk5_context_free(struct pam_args *args)
  */
 void
 pamk5_context_destroy(pam_handle_t *pamh UNUSED, void *data,
-                      int pam_end_status UNUSED)
+                      int pam_end_status)
 {
     struct context *ctx = (struct context *) data;
 
+#ifdef __LINUX_PAM__
+    if (pam_end_status == PAM_SUCCESS | PAM_DATA_SILENT)
+       return;
+#endif /* def __LINUX_PAM__ */
+
     if (ctx != NULL)
         context_free(ctx, true);
 }

allow_kdc_spoof: Refuse to operate without a key to verify tickets.

Hello, FreeBSD/NetBSD has patched their pam_krb5 module to fix spoofing vulnerability. They didn't use krb5_verify_init_creds() method where by default allow the spoofing with the configuration "verify_ap_req_nofail" to false. This default option cannot be changed, as discussed on 2011 (see reference 4), because it could break deployments not using host keys.

So, may it be possible to change the way credentials are verify using an argument as it was done for freeBSD with "allow_kdc_spoof", where by default the spoofing vulnerability is fixed, in this pam-krb5 project ?

References:

pam-krb5 password change

please,help me. i want change password in domain. but if i will change passwork,then new password i will write in a field,where i was entered old password. it is not true. if i will eneter new password,then i will want create new form,where i will enter new password and click to button "Change". can you will do it?

Option to specify maximum password length

Hello ;-)
If would be nice if pam-krb5 would provide a configuration option to specify a maximum allowed password length.
A client could potentially supply a password which is > 10000000 (or more) characters long. During the hashsum/crypt generation (sha512, sha256, etc.) of the supplied password the process is blocked and therefore allows Denial of Service. Especially in processes where PAM is called in a (e.g. python) thread with global interpreter lock, this blocks the whole process and deadlocks.

The limit should probably be configurable for pam_authenticate(), pam_acct_mgmt() (not sure) and pam_chauthtok().
Nice would be, if the user gets a error message explaining that the maximum password length limit of %d characters was reached.

Changing password is not possible

Hi :-)

heimdal now (>= version 7.1.0 / heimdal/heimdal#152 / heimdal/heimdal@7422cd1) supports the krb5_get_init_creds_opt_set_change_password_prompt API. Therefore the defer_pwchange option works!
This can be documented at:
6a46b47

Now it seems there is a problem in pam_krb5 during changing the password, which is not possible. I have the following configuration:

auth     sufficient pam_krb5.so use_first_pass defer_pwchange debug=true trace=/tmp/krb5
auth     required pam_deny.so
account  required pam_krb5.so force_pwchange debug=true trace=/tmp/krb5
password required pam_krb5.so use_first_pass use_authtok defer_pwchange debug=true trace=/tmp/krb5

When I do a chauthtok I receive the following error:

>>> pam.chauthtok()
login:test99
Current Kerberos password: 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PAM.error: ('Authentication token is no longer valid; new one required', 12)

The logs don't contain anything useful. I can't switch on debug=true or get trace=... working. Maybe you have got an idea:

Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): trace logging requested but not supported
Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: entry (prelim)
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) attempting authentication as [email protected] for kadmin/changepw
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) krb5_get_init_creds_password: Password has expired
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: exit (failure)

`module/long` tests always fail if `default_realm` is unset.

Test Platform: fedora-mock

The default build environment for mock on Fedora (and other rpm distros) is to have default_realm in /etc/krb5.conf unset.

I think if the unit tests provided some sort of "UNIT-TEST.EXAMPLE.COM" realm to the user argument, they would work...

[mockbuild@69883bfbc1ac4b1cab35913c388e0181 tests]$ ./runtests -o module/long-t
# Starting data/scripts/long/password
#  left: 7
# right: 3
not ok 1 - status for authenticate
#  left: 5
# right: 3
not ok 2 - output priority 1
#  left: authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
# right: (user test) parse_name failed: Configuration file does not specify default realm
not ok 3 - output line 1
# unexpected: (5) authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
not ok 4 - unexpected output lines
# Starting data/scripts/long/password-debug
#  left: 7
# right: 3
not ok 5 - status for authenticate
ok 6 - output priority 1
ok 7 - output line 1
#  left: 7
# right: 3
not ok 8 - output priority 2
# wanted: /^\(user test\) rejecting password longer than [0-9]+$/
#   seen: (user test) parse_name failed: Configuration file does not specify default realm
not ok 9 - output line 2
ok 10 - output priority 3
ok 11 - output line 3
ok 12 - output priority 4
ok 13 - output line 4
ok 14 - no excess output
# Starting data/scripts/long/use-first
#  left: 7
# right: 3
not ok 15 - status for authenticate
#  left: 5
# right: 3
not ok 16 - output priority 1
#  left: authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
# right: (user test) parse_name failed: Configuration file does not specify default realm
not ok 17 - output line 1
# unexpected: (5) authentication failure; logname=test uid=1000 euid=1000 tty= ruser= rhost=
not ok 18 - unexpected output lines
# Starting data/scripts/long/use-first-debug
#  left: 7
# right: 3
not ok 19 - status for authenticate
ok 20 - output priority 1
ok 21 - output line 1
#  left: 7
# right: 3
not ok 22 - output priority 2
# wanted: /^\(user test\) rejecting password longer than [0-9]+$/
#   seen: (user test) parse_name failed: Configuration file does not specify default realm
not ok 23 - output line 2
ok 24 - output priority 3
ok 25 - output line 3
ok 26 - output priority 4
ok 27 - output line 4
ok 28 - no excess output
1..28
# Looks like you failed 14 tests of 28