Hey man, hope you're doing well.
The new version of sudo definitely breaks radius support somehow.
Old binary on newly-upgraded server, calling "login_radius" as expected:
32409 sudo CALL lstat(0xcfbda248,0xcfbd9fe0)
32409 sudo NAMI "/usr/libexec/auth/login_radius"
32409 sudo STRU struct stat { dev=1030, ino=1559049,
mode=-r-xr-sr-x , nlink=1, uid=0, gid=63, rdev=6221688,
atime=1383766914.276995603, mtime=1375206816,
ctime=1383763312.710865788, size=14768, blocks=32, blksize=16384,
flags=0x0, gen=0x79206db9 }
32409 sudo RET lstat 0
32409 sudo CALL socketpair(PF_LOCAL,SOCK_STREAM,0,0xcfbda1cc)
32409 sudo RET socketpair 0
32409 sudo CALL fork()
32409 sudo RET fork 4137/0x1029
32409 sudo CALL close(0x5)
32409 sudo RET close 0
32409 sudo CALL sigprocmask(SIG_BLOCK,~0<>)
32409 sudo RET sigprocmask 0<>
32409 sudo CALL mprotect(0x2cff2000,0x2000,0x3<PROT_READ|PROT_WRITE>)
32409 sudo RET mprotect 0
32409 sudo CALL mprotect(0x2cff2000,0x2000,0x1<PROT_READ>)
32409 sudo RET mprotect 0
32409 sudo CALL sigprocmask(SIG_SETMASK,0<>)
32409 sudo RET sigprocmask ~0x10100<SIGKILL|SIGSTOP>
32409 sudo CALL write(0x3,0x89efdeac,0x1)
32409 sudo GIO fd 3 wrote 1 bytes
"\0"
32409 sudo RET write 1
32409 sudo CALL write(0x3,0x819f6a4c,0xa)
32409 sudo GIO fd 3 wrote 10 bytes
"********\0"
32409 sudo RET write 10/0xa
32409 sudo CALL read(0x3,0x7ec6b034,0x2000)
32409 sudo GIO fd 3 read 10 bytes
"authorize
"
New binary on newly-upgraded server, no longer calling "login_radius":
31629 sudo CALL lstat(0xcfbfc908,0xcfbfc6a0)
31629 sudo NAMI "/usr/libexec/auth/login_passwd"
31629 sudo STRU struct stat { dev=1030, ino=1559048,
mode=-r-sr-xr-x , nlink=1, uid=0, gid=11, rdev=6233224,
atime=1383766539.484583023, mtime=1375206816,
ctime=1383763312.710865788, size=10256, blocks=24, blksize=16384,
flags=0x0, gen=0xa0c01eca }
31629 sudo RET lstat 0
31629 sudo CALL socketpair(PF_LOCAL,SOCK_STREAM,0,0xcfbfc88c)
31629 sudo RET socketpair 0
31629 sudo CALL fork()
31629 sudo RET fork 23258/0x5ada
31629 sudo CALL close(0x5)
31629 sudo RET close 0
31629 sudo CALL sigprocmask(SIG_BLOCK,~0<>)
31629 sudo RET sigprocmask 0<>
31629 sudo CALL mprotect(0x2c105000,0x2000,0x3<PROT_READ|PROT_WRITE>)
31629 sudo RET mprotect 0
31629 sudo CALL mprotect(0x2c105000,0x2000,0x1<PROT_READ>)
31629 sudo RET mprotect 0
31629 sudo CALL sigprocmask(SIG_SETMASK,0<>)
31629 sudo RET sigprocmask ~0x10100<SIGKILL|SIGSTOP>
31629 sudo CALL write(0x3,0x7e83d5bc,0x1)
31629 sudo GIO fd 3 wrote 1 bytes
"\0"
31629 sudo RET write 1
31629 sudo CALL write(0x3,0x8a96d20c,0xa)
31629 sudo GIO fd 3 wrote 10 bytes
"*******\0"
31629 sudo RET write 10/0xa
31629 sudo CALL read(0x3,0x8a2d6034,0x2000)
31629 sudo GIO fd 3 read 7 bytes
"reject
"
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion
On 11/06/2013 11:28 AM, Bryan Irvine wrote:
> Now, that's interesting. ktrace that sucker.
>
>
> On Wed, Nov 6, 2013 at 11:22 AM, Andrew Klettke
> <[email protected] <mailto:[email protected]>> wrote:
>
> Should also add that a /usr/bin/sudo binary copied over from a 5.3
> machine works as expected.
>
>
> Thanks,
>
> Andrew Klettke
> Systems Admin
> Optic Fusion
>
> On 11/06/2013 11:17 AM, Andrew Klettke wrote:
>
> We're seeing a strange issue where logging into a
> newly-upgraded 5.4 machine with a RADIUS login works fine, but
> when trying to use sudo to execute commands, I get "incorrect
> password attempts" in /var/log/secure. Transcript of this
> (server name censored to "foo", user censored to "user"), log
> messages, and dmesg follow, any help or insight would be very
> much appreciated. Sudo worked perfectly fine with this same
> user before the upgrade:
>
> $ ssh foo
> user@foo's password:
> Last login: Wed Nov 6 11:04:55 2013 from ********.*******.net
> OpenBSD 5.4 (GENERIC.MP <http://GENERIC.MP>) #44: Tue Jul 30
> 12:13:32 MDT 2013
>
> Welcome to OpenBSD: The proactively secure Unix-like operating
> system.
>
> Please use the sendbug(1) utility to report bugs in the system.
> Before reporting a bug, please try to reproduce it with the latest
> version of the code. With bug reports, please try to ensure that
> enough information to reproduce the problem is enclosed, and if a
> known fix for it exists, include that as well.
>
> [foo:~]$ sudo whoami
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
> #1) Respect the privacy of others.
> #2) Think before you type.
> #3) With great power comes great responsibility.
>
> Password:
> Where did you learn to type?
> Password:
> My pet ferret can type better than you!
> Password:
> Do you think like you type?
> sudo: 3 incorrect password attempts
> [foo:~]$
>
>
>
> From /var/log/secure:
> Nov 6 11:11:11 foo sudo: user : 3 incorrect password attempts
> ; TTY=ttyp1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/whoami
>
> Dmesg:
> OpenBSD 5.4 (GENERIC.MP <http://GENERIC.MP>) #44: Tue Jul 30
> 12:13:32 MDT 2013
> [email protected]:/usr/src/sys/arch/i386/compile/GENERIC.MP
> <http://GENERIC.MP>
> cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
> 686-class) 1.61 GHz
> cpu0:
>
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
> real mem = 2138222592 <tel:2138222592> (2039MB)
> avail mem = 2091827200 (1994MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 07/10/09, BIOS32 rev. 0
> @ 0xf0010, SMBIOS rev. 2.5 @ 0xfd170 (27 entries)
> bios0: vendor American Megatrends Inc. version "1.0a" date
> 07/10/2009
> bios0: Supermicro X7SLA
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP APIC MCFG SLIC OEMB
> acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4)
> EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4)
> LAN0(S1) P0P9(S4) LAN1(S1) USB0(S4) USB1(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 133MHz
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
> 686-class) 1.61 GHz
> cpu1:
>
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
> 686-class) 1.61 GHz
> cpu2:
>
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
> 686-class) 1.61 GHz
> cpu3:
>
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
> ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
> ioapic0: misconfigured as apic 1, remapped to apid 4
> acpimcfg0 at acpi0 addr 0xf0000000, bus 0-63
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (P0P2)
> acpiprt2 at acpi0: bus 4 (P0P1)
> acpiprt3 at acpi0: bus 1 (P0P4)
> acpiprt4 at acpi0: bus -1 (P0P5)
> acpiprt5 at acpi0: bus -1 (P0P6)
> acpiprt6 at acpi0: bus -1 (P0P7)
> acpiprt7 at acpi0: bus 2 (P0P8)
> acpiprt8 at acpi0: bus 3 (P0P9)
> acpicpu0 at acpi0
> acpicpu1 at acpi0
> acpicpu2 at acpi0
> acpicpu3 at acpi0
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: PWRB
> bios0: ROM list: 0xc0000/0xaa00!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
> vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
> inteldrm0 at vga1
> drm0 at inteldrm0
> error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum
> is invalid, remainder is 130
> Raw EDID:
>
> 00 ff ff ff ff ff ff 00 ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> inteldrm0: 1024x768
> wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01:
> apic 4 int 16
> pci1 at ppb0 bus 1
> ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01:
> apic 4 int 16
> pci2 at ppb1 bus 2
> re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x02:
> RTL8168C/8111C (0x3c00), apic 4 int 16, address 00:30:48:9f:31:60
> rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
> ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01:
> apic 4 int 17
> pci3 at ppb2 bus 3
> re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x02:
> RTL8168C/8111C (0x3c00), apic 4 int 17, address 00:30:48:9f:31:61
> rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01:
> apic 4 int 23
> uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01:
> apic 4 int 19
> uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01:
> apic 4 int 18
> uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01:
> apic 4 int 16
> ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01:
> apic 4 int 23
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
> pci4 at ppb3 bus 4
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev
> 0x01: PM disabled
> pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev
> 0x01: DMA, channel 0 configured to compatibility, channel 1
> configured to compatibility
> pciide0: channel 0 disabled (no drives)
> pciide0: channel 1 disabled (no drives)
> ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01:
> msi, AHCI 1.1
> scsibus0 at ahci0: 32 targets
> sd0 at scsibus0 targ 0 lun 0: <ATA, ST980210AS, 3.AL
> <http://3.AL>> SCSI3 0/direct fixed t10.ATA_ST980210AS_5QY0TPVG
> sd0: 76319MB, 512 bytes/sector, 156301488 sectors
> sd1 at scsibus0 targ 1 lun 0: <ATA, ST980210AS, 3.AL
> <http://3.AL>> SCSI3 0/direct fixed t10.ATA_ST980210AS_5QY0T9BK
> sd1: 76319MB, 512 bytes/sector, 156301488 sectors
> ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev
> 0x01: apic 4 int 19
> iic0 at ichiic0
> lm1 at iic0 addr 0x2d: W83627DHG
> spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
> spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-6400CL5
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
> lm2 at wbsio0 port 0x290/8: W83627DHG
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> mtrr: Pentium Pro MTRR support
> lm1: disabling sensors due to alias with lm2
> uhub5 at uhub0 port 1 "Standard Microsystems product 0x2507"
> rev 2.00/0.00 addr 2
> uftdi0 at uhub5 port 1 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 3
> ucom0 at uftdi0 portno 1
> uftdi1 at uhub5 port 1 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 3
> ucom1 at uftdi1 portno 2
> uftdi2 at uhub5 port 2 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 4
> ucom2 at uftdi2 portno 1
> uftdi3 at uhub5 port 2 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 4
> ucom3 at uftdi3 portno 2
> uftdi4 at uhub5 port 3 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 5
> ucom4 at uftdi4 portno 1
> uftdi5 at uhub5 port 3 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 5
> ucom5 at uftdi5 portno 2
> uftdi6 at uhub5 port 4 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 6
> ucom6 at uftdi6 portno 1
> uftdi7 at uhub5 port 4 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 6
> ucom7 at uftdi7 portno 2
> uftdi8 at uhub5 port 5 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 7
> ucom8 at uftdi8 portno 1
> uftdi9 at uhub5 port 5 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 7
> ucom9 at uftdi9 portno 2
> uftdi10 at uhub5 port 6 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 8
> ucom10 at uftdi10 portno 1
> uftdi11 at uhub5 port 6 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 8
> ucom11 at uftdi11 portno 2
> uhub6 at uhub5 port 7 "Genesys Logic GL650 Hub" rev 1.10/3.05
> addr 9
> uftdi12 at uhub6 port 1 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 10
> ucom12 at uftdi12 portno 1
> uftdi13 at uhub6 port 1 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 10
> ucom13 at uftdi13 portno 2
> uftdi14 at uhub6 port 2 configuration 1 interface 0 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 11
> ucom14 at uftdi14 portno 1
> uftdi15 at uhub6 port 2 configuration 1 interface 1 "FTDI USB
> FAST SERIAL ADAPTER" rev 2.00/5.00 addr 11
> ucom15 at uftdi15 portno 2
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on sd0a swap on sd0b dump on sd0b
