Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. conserver>
  3. users
pam authentication with one-time use passwords
gyurgyikms at ornl
Dec 5, 2013, 5:17 AM
Post #1 of 2 (1467 views)
Permalink
Hello.

When attempting use pam with conserver, I noticed that conserver was
sending multiple authentications to PAM. As our security policy mandates
one-time authentication tokens (rsa), multiple authentications using the
same password fail.

Poking around in the code I identified 4 places where CheckPasswd() is
called.

master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string,
FLAGFALSE) != AUTH_SUCCESS)
master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)
group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string,
FLAGFALSE) != AUTH_SUCCESS)
group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)

When connecting from a remote client, it seems the authentication code
in master.c is called and then the authentication code in group.c is called.

Would it be possible to call CheckPasswd() once, store the result in a
global variable, and then pass that global variable to each of the
conditional statements?

Additionally, it would appear that the if statement
(CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568
and group.c:3495 will never evaluate true. As I understand the code, the
second variable passed into CheckPasswd should be the user password and
in this case, this is blank. The CheckPasswd function doesn't do
anything special with a blank password.

My c knowledge in nearly non-existent and therefore my grasp of the
authentication code is poor. I don't know the difference between
master.c and group.c and why authentication is happening in both
master.c and group.c.

Thank you,
Matthew Gyurgyik





--
Matthew Gyurgyik
HPC System Administrator
National Center for Computational Sciences
Oak Ridge National Laboratory
865-576-7099

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: pam authentication with one-time use passwords [ In reply to ]
bryan at conserver
Dec 5, 2013, 9:02 AM
Post #2 of 2 (1384 views)
Permalink
I think you've stumbled into new territory (one-time passwords and conserver). The problem is that there are multiple conserver processes - one "master" and multiple "console" instances. When the client logs into a console, it first talks to the master, asks what process is managing that console, then goes to that other process and asks for access. There are things you can do with the master process (like telling it to reload the config) so the client has to authenticate there to protect the information and functionality. And, of course, it needs to log in to the console. And if you have a multi-master setup, one master redirects you to another master which then redirects you to...you get the idea.

Without a "global" authentication scheme, I'm not sure how to make it happen (which is yet another layer of "trust" that would require setup, maintenance, etc). But if there's a good API (maybe even platform-specific?) that already exists to mitigate that, I'd love to hear about it.

As it stands, the conserver code has nothing available but making authentication checks when each process gets a connection.

Bryan

On Dec 5, 2013, at 5:17 AM, Matthew Gyurgyik <gyurgyikms@ornl.gov> wrote:

> Hello.
>
> When attempting use pam with conserver, I noticed that conserver was sending multiple authentications to PAM. As our security policy mandates one-time authentication tokens (rsa), multiple authentications using the same password fail.
>
> Poking around in the code I identified 4 places where CheckPasswd() is called.
>
> master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS)
> master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)
> group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS)
> group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS)
>
> When connecting from a remote client, it seems the authentication code in master.c is called and then the authentication code in group.c is called.
>
> Would it be possible to call CheckPasswd() once, store the result in a global variable, and then pass that global variable to each of the conditional statements?
>
> Additionally, it would appear that the if statement (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568 and group.c:3495 will never evaluate true. As I understand the code, the second variable passed into CheckPasswd should be the user password and in this case, this is blank. The CheckPasswd function doesn't do anything special with a blank password.
>
> My c knowledge in nearly non-existent and therefore my grasp of the authentication code is poor. I don't know the difference between master.c and group.c and why authentication is happening in both master.c and group.c.
>
> Thank you,
> Matthew Gyurgyik
>
>
>
>
>
> --
> Matthew Gyurgyik
> HPC System Administrator
> National Center for Computational Sciences
> Oak Ridge National Laboratory
> 865-576-7099
>
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users


_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal