Your message dated Mon, 19 Feb 2018 21:14:29 +0000
with message-id <e1enslz-000ciq...@fasolo.debian.org>
and subject line Bug#890508: fixed in nss-pam-ldapd 0.9.9-1
has caused the Debian Bug report #890508,
regarding pam_ldap/nslcd: Buffer to hold rhost too small when checking 
authentication credentials of the user (leading to authentication failure)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nss-pam-ldapd
Version: 0.9.7-2
Severity: normal
Tags: upstream

Hi

The issue was found under the following precondition:

On Debian Stretch server, with pam configured to use pam_ldap from 
nss-pam-ldapd:

[...]
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=100 
use_first_pass
[...]

The sshd_config contains UseDNS=yes (changed from default).

A user now logging in from remote via SSH with a host resolving to a FQDN with
length longer than 64 bytes unsing password authentication triggers the
following:

Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=XXX.XXX.XXX.XXX.XXXXXXX.XXXXX.XXXXXXXXXXXXXX.XXX.XXXX.XXXXXXXX.XX  
user=XXXXX
Feb 12 16:41:30 XXXXXXXX nslcd[2282]: [54e2c3] client supplied argument 1 bytes 
too large
Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_ldap(sshd:auth): error reading from 
nslcd: Connection reset by peer
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Failed password for XXXXX from 
XXX.XXX.XXX.XXX port 4324 ssh2
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Connection closed by authenticating user 
XXXXX XXX.XXX.XXX.XXX port 4324 [preauth]

Looking closer on what happens the issue seem to raised in nslcd/pam.c:

263 /* check authentication credentials of the user */
264 int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)    
                                                                                
                                                                                
                                           
265 {
266   int32_t tmpint32;
267   int rc;
268   char username[BUFLEN_NAME], service[BUFLEN_NAME], ruser[BUFLEN_NAME], 
rhost[BUFLEN_HOSTNAME], tty[64];
269   char password[BUFLEN_PASSWORD];
270   const char *userdn;
271   MYLDAP_ENTRY *entry;
272   int authzrc = NSLCD_PAM_SUCCESS;
273   char authzmsg[BUFLEN_MESSAGE];
274   authzmsg[0] = '\0';
275   /* read request parameters */
276   READ_STRING(fp, username);
277   READ_STRING(fp, service);
278   READ_STRING(fp, ruser);
279   READ_STRING(fp, rhost);
280   READ_STRING(fp, tty);
281   READ_STRING(fp, password);

on line 279, where from fp the rhost is read into the rhost buffer. On Debian
system that BUFLEN_HOSTNAME will be only 64 (nslcd/common.h):

 28 #include <limits.h>
[...]
153 /* fallback definition of HOST_NAME_MAX */                                  
                                                                                
                                                                                
                                           
154 #ifndef HOST_NAME_MAX
155 #ifdef _POSIX_HOST_NAME_MAX
156 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
157 #else
158 #define HOST_NAME_MAX 255
159 #endif /* _POSIX_HOST_NAME_MAX */
160 #endif /* not HOST_NAME_MAX */
161 
162 /* common buffer lengths */
163 #define BUFLEN_NAME         256  /* user, group names and such */
164 #define BUFLEN_SAFENAME     300  /* escaped name */
165 #define BUFLEN_PASSWORD     128  /* passwords */
166 #define BUFLEN_PASSWORDHASH 256  /* passwords hashes */
167 #define BUFLEN_DN           512  /* distinguished names */
168 #define BUFLEN_SAFEDN       600  /* escapedd dn */
169 #define BUFLEN_FILTER      4096  /* search filters */
170 #define BUFLEN_HOSTNAME (HOST_NAME_MAX + 1)  /* host names (+ escaped) */
171 #define BUFLEN_MESSAGE     1024  /* message strings */

In pam/pam.c itself

293 /* perform an authentication call over nslcd */
294 static int nslcd_request_authc(pam_handle_t *pamh, struct pld_cfg *cfg,
295                                const char *username, const char *service,
296                                const char *ruser, const char *rhost,
297                                const char *tty, const char *passwd,
298                                struct nslcd_resp *authc_resp,
299                                struct nslcd_resp *authz_resp)
300 {
301   PAM_REQUEST(
302     NSLCD_ACTION_PAM_AUTHC,
303     /* log debug message */
304     pam_syslog(pamh, LOG_DEBUG, "nslcd authentication; user=%s", username),
305     /* write the request parameters */
306     WRITE_STRING(fp, username);
307     WRITE_STRING(fp, service);
308     WRITE_STRING(fp, ruser);
309     WRITE_STRING(fp, rhost);
310     WRITE_STRING(fp, tty);
311     WRITE_STRING(fp, passwd),
312     /* read the result entry */
313     READ_PAM_CODE(fp, authc_resp->res);
314     READ_STRING(fp, authc_resp->msg); /* user name */
315     /* if we want the authorisation response, save it, otherwise skip it */
316     if (authz_resp != NULL)
317     {
318       READ_PAM_CODE(fp, authz_resp->res);
319       READ_STRING(fp, authz_resp->msg);
320     }
321     else
322     {
323       SKIP(fp, sizeof(int32_t));
324       SKIP_STRING(fp);
325     }
326   )
327 }

And in our case we had a FQDN hostname one byte larger as
nslcd_pam_authc could handle for rhost.

According at least to https://tools.ietf.org/html/rfc1035#section-2.3.1
and the further clarification
https://tools.ietf.org/html/rfc2181#section-11 rhost (considering full
domain names) should probably be limited to 255.

I'm not sure how to correctly fix it.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.9.9-1

We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adej...@debian.org> (supplier of updated nss-pam-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 19 Feb 2018 21:00:00 +0100
Source: nss-pam-ldapd
Binary: nslcd pynslcd libnss-ldapd libpam-ldapd nslcd-utils
Architecture: source amd64 all
Version: 0.9.9-1
Distribution: unstable
Urgency: medium
Maintainer: Arthur de Jong <adej...@debian.org>
Changed-By: Arthur de Jong <adej...@debian.org>
Description:
 libnss-ldapd - NSS module for using LDAP as a naming service
 libpam-ldapd - PAM module for using LDAP as an authentication service
 nslcd      - daemon for NSS and PAM lookups using LDAP
 nslcd-utils - utilities for querying LDAP via nslcd
 pynslcd    - daemon for NSS and PAM lookups via LDAP - Python version
Closes: 890508
Changes:
 nss-pam-ldapd (0.9.9-1) unstable; urgency=medium
 .
   * new upstream release:
     - support spaces in attribute mapping expressions
     - allow parsing longer lines in the configuration file
     - allow for longer host names (closes: #890508)
   * upgrade to debhelper compatibility level 7
   * upgrade to standards-version 4.1.3 (change package priority to optional)
   * do not run test suite if DEB_BUILD_OPTIONS contains nocheck
Checksums-Sha1:
 8d4681ed7959ab0df1c1c4dd245764819dc983f0 2392 nss-pam-ldapd_0.9.9-1.dsc
 9d1bc839cf1b9a2ee9c6c927b8855031a6251d1e 772059 nss-pam-ldapd_0.9.9.orig.tar.gz
 2418d44b672bf8f985f73c3b1966ed63da55d049 132048 
nss-pam-ldapd_0.9.9-1.debian.tar.xz
 0513962b5f8e37512f834b729f658f101356e067 45364 
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
 fa61ac5252d1eb27f5dcb402f430bb9aa4d84e20 69172 libnss-ldapd_0.9.9-1_amd64.deb
 61867f6aebc21b458f1c05947bc2413a15f593d8 26040 
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
 4f19a522cbb6545f8f8a588d23886fd61424670e 57512 libpam-ldapd_0.9.9-1_amd64.deb
 ccefb048f115f452a22da72bcaec229abd41878b 187784 nslcd-dbgsym_0.9.9-1_amd64.deb
 4286d1fbe6ab8ca1f52d69a634516773bec8aed3 54512 nslcd-utils_0.9.9-1_all.deb
 9d381a0cd3e0252575ceb0d340f53e1c886c7939 206516 nslcd_0.9.9-1_amd64.deb
 660ba52fdb483ae53d1ffc4328a338413ea98c82 10226 
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
 ba2a298d95ffd8917ac87391bcb57c2e45fb3f05 165752 pynslcd_0.9.9-1_all.deb
Checksums-Sha256:
 e1450154e88d23722036514a58382bc3061e1508fb66a97b4d670766fa2b3359 2392 
nss-pam-ldapd_0.9.9-1.dsc
 20ca6a43509cb8b20c370bb1501f279ee633bc0db9f4c21a877a8d47e5c447d2 772059 
nss-pam-ldapd_0.9.9.orig.tar.gz
 c6872f49d22111c6dc870310a3b48b30603f47dd27239000ee1da0c987d306b0 132048 
nss-pam-ldapd_0.9.9-1.debian.tar.xz
 f3a3f2b24bbc494c03e6cfcd5201b3bb8e4bda51ea8b77ac942d7c6bef4fa00d 45364 
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
 260f53673aaa241043b16c1596524e5d07bb018ec806db5d8bd94d1810c9ec35 69172 
libnss-ldapd_0.9.9-1_amd64.deb
 265f17e1fcf87a6c10b1a2d9111dee08089f64d7dcabeb5cf9aa2967a0e7d31d 26040 
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
 d4848f952841745631561e1d3acb2e9b55c523c847e617456f13d4bec62f5eb9 57512 
libpam-ldapd_0.9.9-1_amd64.deb
 409283e5c02b9cffa40bd6ea55b6363762f71fd25a9a9b8fb49d676b11c2fdab 187784 
nslcd-dbgsym_0.9.9-1_amd64.deb
 1188720d4978ae48e852029a58f7637c04b9ae6d2aa1adf1339a70b0551a5dd5 54512 
nslcd-utils_0.9.9-1_all.deb
 f84b4885cccafee5e058bc5f96c6add2d7d1a397741097196ff316f02b1d6d5f 206516 
nslcd_0.9.9-1_amd64.deb
 f674c2ff8a2895affce0097e2894ab3ba3295c8c25a8094d62ee8ccbafb57047 10226 
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
 9b3b4ad1631f4a87cf523f7d1f177e33a7e0b391f5af4689c60b17cbc1f42f74 165752 
pynslcd_0.9.9-1_all.deb
Files:
 ed32477b55bf1dbd7713ef5d01f22330 2392 admin optional nss-pam-ldapd_0.9.9-1.dsc
 fc01f2ff2aa3ae2ea3f3e347b7c57745 772059 admin optional 
nss-pam-ldapd_0.9.9.orig.tar.gz
 6159d32319ce3cfa784571648a5b5b32 132048 admin optional 
nss-pam-ldapd_0.9.9-1.debian.tar.xz
 89c85091da876059ff7d671efe109af3 45364 debug optional 
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
 247633319d698a50aaea21edab1a45cc 69172 admin optional 
libnss-ldapd_0.9.9-1_amd64.deb
 57f176fe4d52795bb1cf4079527ab674 26040 debug optional 
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
 35056b869956c2e08921aa499a159a6a 57512 admin optional 
libpam-ldapd_0.9.9-1_amd64.deb
 96a293fe44232f0cdec69f0ed3664073 187784 debug optional 
nslcd-dbgsym_0.9.9-1_amd64.deb
 28f2f2e0b27e7cf267bc7d7e093f22fc 54512 admin optional 
nslcd-utils_0.9.9-1_all.deb
 ea5696048b27361e0367cb9eb21ccc90 206516 admin optional nslcd_0.9.9-1_amd64.deb
 b20a09c21319c350dbb8c58cccdb13f7 10226 admin optional 
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
 aa0d19c85738b35f6af6f5e8e53930fc 165752 admin optional pynslcd_0.9.9-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERS7Cy2XPaMKhrb9fKot0aBDgr8EFAlqLLOsACgkQKot0aBDg
r8FvIBAAlC8QLp4RHGO0pyUWm758nYW853EfSBV4UCBEeuRMsxJxm1vHGBSlFOPN
eMc4/4sA9xsWiiVMJsqcovbbH17bbnSf4dtBgv9+g3ufUNWIw4DGDsFqxqTp+t2h
+ekcerY+j6XTfAJnZ26SWEwYNZbNt7fPnrHk914vuGahRpGcrUKtaU2i2XfgbAHo
tpM1WJ8i/pnSO9aruntknIk5YJhSY0tAokkq2FDmjN8y+0/Yqqdp9g7JUgZpQ2oy
f6Nh3wI9ssrAZAo24lIqnJv1U2YzWjtJ0GcweP6f9SljIbfuh0sFmsMF1vHxhLl2
YPOA107vC/626hAQ5i2c+YGJ8G/Hwd34p439hWotX7a8Kpc7AQ1wBS75LtDEeulu
vlEvpMcqFed6cLcnfmdl+jxWydO4VtaykCJLpwvp3rygRXPORd1WzF5OR/0V3gl/
NktCQ86FclMoOwuD9HCltv+3U9EU7lFxF4Jy/oxN0v2P7zFNyErLEabenVuzTkuX
3M/c9O3PxUGwUSZm6MDz5w716zWnZHnftjjiiAEZlm9leJdf9o2kniDIqQcChHAk
r725ljBFgmW75zYBAFkB1PB/FD3C2Sj6+aC/gxbwbNDAhmffLQDLV5o4GbbhYb3s
1QjCBFvPsU3JFcjR+31o8BlLib1timEtpaQPeg+Y7QxZW5mAnnU=
=oOHa
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to