public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] The results of an evening of Apache and PAM debugging
@ 2005-06-14 11:17 Anthony Gorecki
  2005-06-14 21:44 ` Paul de Vrieze
  0 siblings, 1 reply; 3+ messages in thread
From: Anthony Gorecki @ 2005-06-14 11:17 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 6057 bytes --]

This message is fairly long, however I've decided to pass it along in the hope 
that someone may find it useful as a reference source. It was originally 
intended to be a problem description and debugging request for the gnomes to 
ponder over.


I've recently encountered an interesting debugging paradox. Upon deploying 
Subversion with an Apache-based server, I discovered an interesting issue 
with PAM that seems to be intent on defying explanation:

I have a repository that's accessible through <https://svn.domain.com/>, with 
the repository root set at location / (using Subversion 1.2.0, which has a 
fix for the cache bug that prevented repositories from being located at the 
root of a web address). The server is setup to allow read-only access to the 
repository through unencrypted HTTP connections, while write operations must 
use HTTPS (TLSv1, AES256). 

When accessing the repository through HTTPS, Apache dispatches an 
authorization request to mod_auth_pam and PAM, which in turn passes the 
request off as follows:

The username and password authentication (auth) process is passed to pam_krb5 
and the accompanying KDC. This process works flawlessly on every service, 
including Apache's requests. The logs indicate successful logins when 
submitting a username and password via web request.

The account management (account) process is passed to pam_unix, which then 
does a bit of nsswitch magic to tie everything together. In this context, 
only network-based user accounts are permitted, therefore nsswitch uses the 
NSVS (MySQL backend) service to retrieve all of the information. For example, 
calls to getspnam are handled as follows:

getspnam \
        SELECT \
'%1$s','x',1,0,99999,7,0,DATEDIFF(expiration_date,'1970-01-01'),0 \
        FROM users \
        WHERE username='%1$s' \
        LIMIT 1

Herein lies the problem. During the authorization process, PAM will fail 
during the account stage with the error: "PAM: user 'agorecki'  - invalid 
account: Authentication service cannot retrieve authentication info."

For whatever reason, the debug and audit flags in the pam_unix module are not 
functional. As a result, I extracted the information I needed directly from 
the source code, and found the error location to be:

./Linux-PAM-0.78/modules/pam_unix/pam_unix_acct.c:
127         spent = _pammodutil_getspnam (pamh, uname);
128     else
129         return PAM_SUCCESS;
130
131     if (!spent)
132         if (on(UNIX_BROKEN_SHADOW,ctrl))
133             return PAM_SUCCESS;
134
135     if (!spent)
136         return PAM_AUTHINFO_UNAVAIL;    /* Couldn't get username from 
shadow */

The call on line 127 takes place, and the error originates on line 136.

For the purposes of debugging, I've removed all chroot restrictions from 
Apache and have given it complete access to the filesystem. The Apache 
Subversion interface works through the unencrypted connections, which do not 
require authentication.

Hours of Google searching turned up nothing of use; what I don't understand is 
how Apache can fail to retrieve the shadow information when it's accessible 
by any unprivileged--

While writing the above, it occurred to me to run a final check on the debug 
output of nsvsd, which produced: 

run_query: query: SELECT 'agorecki','x',user_id,group_id,CONCAT(first_name,' 
',last_name),CONCAT('/home/',username),'/bin/bash' FROM users WHERE 
username='agorecki' AND group_id IS NOT NULL LIMIT 1
send_response: sending 120-byte response
main_loop: pid 12314 unauthorized for type 8
main_loop: pid 12314 unauthorized for type 8

The obligatory check of the code found:

./nsvs/src/nsvsd/nsvsd.c:
449               /*
450                * Don't allow shadow queries to non-root users
451                * It is CRITICAL that this code occurs AFTER reading the 
key
452                * to avoid clientside sigpipe issues
453                */
454               if ((req.type == GETSPBYNAME || req.type == GETSP) && 
caller.uid != 0)
455                 {
456                   nsvs_log (LOG_DEBUG, "%s: pid %d unauthorized for type 
%d",
457                             __FUNCTION__, caller.pid, req.type);


Having non-root users access the shadow-emulated MySQL information is of no 
consequence to me as I don't use that system for password storage, however 
I'd prefer not to start patching software to work around the above 
restriction. 

Having wasted forty-five minutes typing the above only to find the cause of 
the problem that was illuding me, I'm left with the next problem: 

My network authentication scheme cannot solely rely on Kerberos' built-in 
account expiration and suspension system, because a user could still login 
through SSH using a certificate. As a result, I've tied the entire system's 
account expiration process into the emulated shadow suite so that I can 
expire all access simply by changing the expiration date of the account in 
the MySQL database. Consequently, I can't use the broken_shadow option of 
pam_unix to get around the problem that way, otherwise I wouldn't be able to 
keep someone from modifying the repository without deleting their account or 
changing the account's password. 

Therefore, the only viable option would seem to be to use mod_auth_external 
and an authentication binary to serve as an intermediary between PAM and 
Apache. Unfortunately, that process would be considerably slower than calling 
the PAM functions directly or through a library. I also don't see a SASL 
module for a Apache. 

Does anyone have a suggestion that would fit the requirements, other than 
using mod_auth_external, coupled with an authentication program? An interface 
to Cyrus-SASL would be ideal since I already have saslauthd running for 
Postfix. 

In addition, does anyone have an idea as to what authentication program could 
be used as the aforementioned intermediary?

Thanks.


-- 
Anthony Gorecki
Ectro-Linux Foundation

[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-dev] The results of an evening of Apache and PAM debugging
  2005-06-14 11:17 [gentoo-dev] The results of an evening of Apache and PAM debugging Anthony Gorecki
@ 2005-06-14 21:44 ` Paul de Vrieze
  2005-06-15  1:18   ` Anthony Gorecki
  0 siblings, 1 reply; 3+ messages in thread
From: Paul de Vrieze @ 2005-06-14 21:44 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

On Tuesday 14 June 2005 13:17, Anthony Gorecki wrote:
>
> Does anyone have a suggestion that would fit the requirements, other than
> using mod_auth_external, coupled with an authentication program? An
> interface to Cyrus-SASL would be ideal since I already have saslauthd
> running for Postfix.
>
> In addition, does anyone have an idea as to what authentication program
> could be used as the aforementioned intermediary?

You know that the "normal" way of doing this is to use ldap and krb5 together. 
Ldap even has it's own apache module. Mind you though that pam_ldap, 
mod_auth_pam, apache2, and mod_dav_svn seem to not be able to work together 
reliably. There is some kind of strange issue there that's very hard to 
diagnose. Using direct ldap authentication does work.

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-dev] The results of an evening of Apache and PAM debugging
  2005-06-14 21:44 ` Paul de Vrieze
@ 2005-06-15  1:18   ` Anthony Gorecki
  0 siblings, 0 replies; 3+ messages in thread
From: Anthony Gorecki @ 2005-06-15  1:18 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

On Tuesday, June 14, 2005 2:44 pm, Paul de Vrieze wrote:
> You know that the "normal" way of doing this is to use ldap and krb5

In my opinion, LDAP, by design, is a piece of garbage. I understand the 
principle of its design, however I've never found that design to be 
beneficial for my needs. Before I made the switch to a MySQL-backed database 
to store the account information, I was using OpenLDAP; it just couldn't do 
the job.


> pam_ldap, mod_auth_pam, apache2, and mod_dav_svn seem to not be able to
> work together reliably. There is some kind of strange issue there that's
> very hard to diagnose. Using direct ldap authentication does work.

It's not the user authentication that's the problem, but rather that NSVS 
denies shadow access (appropriately) even though I don't personally need that 
requirement. I think, after a night's rest and a bit of thought, that I'll 
just add a USE flag to the NSVS ebuild to allow users to patch out that 
built-in restriction.


-- 
Anthony Gorecki
Ectro-Linux Foundation

[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-06-15  1:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-14 11:17 [gentoo-dev] The results of an evening of Apache and PAM debugging Anthony Gorecki
2005-06-14 21:44 ` Paul de Vrieze
2005-06-15  1:18   ` Anthony Gorecki

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox