Your message dated Mon, 19 Feb 2018 21:14:29 +0000
with message-id <e1enslz-000ciq...@fasolo.debian.org>
and subject line Bug#890508: fixed in nss-pam-ldapd 0.9.9-1
has caused the Debian Bug report #890508,
regarding pam_ldap/nslcd: Buffer to hold rhost too small when checking
authentication credentials of the user (leading to authentication failure)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
890508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890508
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nss-pam-ldapd
Version: 0.9.7-2
Severity: normal
Tags: upstream
Hi
The issue was found under the following precondition:
On Debian Stretch server, with pam configured to use pam_ldap from
nss-pam-ldapd:
[...]
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=100
use_first_pass
[...]
The sshd_config contains UseDNS=yes (changed from default).
A user now logging in from remote via SSH with a host resolving to a FQDN with
length longer than 64 bytes unsing password authentication triggers the
following:
Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=XXX.XXX.XXX.XXX.XXXXXXX.XXXXX.XXXXXXXXXXXXXX.XXX.XXXX.XXXXXXXX.XX
user=XXXXX
Feb 12 16:41:30 XXXXXXXX nslcd[2282]: [54e2c3] client supplied argument 1 bytes
too large
Feb 12 16:41:30 XXXXXXXX sshd[5563]: pam_ldap(sshd:auth): error reading from
nslcd: Connection reset by peer
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Failed password for XXXXX from
XXX.XXX.XXX.XXX port 4324 ssh2
Feb 12 16:41:31 XXXXXXXX sshd[5563]: Connection closed by authenticating user
XXXXX XXX.XXX.XXX.XXX port 4324 [preauth]
Looking closer on what happens the issue seem to raised in nslcd/pam.c:
263 /* check authentication credentials of the user */
264 int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)
265 {
266 int32_t tmpint32;
267 int rc;
268 char username[BUFLEN_NAME], service[BUFLEN_NAME], ruser[BUFLEN_NAME],
rhost[BUFLEN_HOSTNAME], tty[64];
269 char password[BUFLEN_PASSWORD];
270 const char *userdn;
271 MYLDAP_ENTRY *entry;
272 int authzrc = NSLCD_PAM_SUCCESS;
273 char authzmsg[BUFLEN_MESSAGE];
274 authzmsg[0] = '\0';
275 /* read request parameters */
276 READ_STRING(fp, username);
277 READ_STRING(fp, service);
278 READ_STRING(fp, ruser);
279 READ_STRING(fp, rhost);
280 READ_STRING(fp, tty);
281 READ_STRING(fp, password);
on line 279, where from fp the rhost is read into the rhost buffer. On Debian
system that BUFLEN_HOSTNAME will be only 64 (nslcd/common.h):
28 #include <limits.h>
[...]
153 /* fallback definition of HOST_NAME_MAX */
154 #ifndef HOST_NAME_MAX
155 #ifdef _POSIX_HOST_NAME_MAX
156 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
157 #else
158 #define HOST_NAME_MAX 255
159 #endif /* _POSIX_HOST_NAME_MAX */
160 #endif /* not HOST_NAME_MAX */
161
162 /* common buffer lengths */
163 #define BUFLEN_NAME 256 /* user, group names and such */
164 #define BUFLEN_SAFENAME 300 /* escaped name */
165 #define BUFLEN_PASSWORD 128 /* passwords */
166 #define BUFLEN_PASSWORDHASH 256 /* passwords hashes */
167 #define BUFLEN_DN 512 /* distinguished names */
168 #define BUFLEN_SAFEDN 600 /* escapedd dn */
169 #define BUFLEN_FILTER 4096 /* search filters */
170 #define BUFLEN_HOSTNAME (HOST_NAME_MAX + 1) /* host names (+ escaped) */
171 #define BUFLEN_MESSAGE 1024 /* message strings */
In pam/pam.c itself
293 /* perform an authentication call over nslcd */
294 static int nslcd_request_authc(pam_handle_t *pamh, struct pld_cfg *cfg,
295 const char *username, const char *service,
296 const char *ruser, const char *rhost,
297 const char *tty, const char *passwd,
298 struct nslcd_resp *authc_resp,
299 struct nslcd_resp *authz_resp)
300 {
301 PAM_REQUEST(
302 NSLCD_ACTION_PAM_AUTHC,
303 /* log debug message */
304 pam_syslog(pamh, LOG_DEBUG, "nslcd authentication; user=%s", username),
305 /* write the request parameters */
306 WRITE_STRING(fp, username);
307 WRITE_STRING(fp, service);
308 WRITE_STRING(fp, ruser);
309 WRITE_STRING(fp, rhost);
310 WRITE_STRING(fp, tty);
311 WRITE_STRING(fp, passwd),
312 /* read the result entry */
313 READ_PAM_CODE(fp, authc_resp->res);
314 READ_STRING(fp, authc_resp->msg); /* user name */
315 /* if we want the authorisation response, save it, otherwise skip it */
316 if (authz_resp != NULL)
317 {
318 READ_PAM_CODE(fp, authz_resp->res);
319 READ_STRING(fp, authz_resp->msg);
320 }
321 else
322 {
323 SKIP(fp, sizeof(int32_t));
324 SKIP_STRING(fp);
325 }
326 )
327 }
And in our case we had a FQDN hostname one byte larger as
nslcd_pam_authc could handle for rhost.
According at least to https://tools.ietf.org/html/rfc1035#section-2.3.1
and the further clarification
https://tools.ietf.org/html/rfc2181#section-11 rhost (considering full
domain names) should probably be limited to 255.
I'm not sure how to correctly fix it.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.9.9-1
We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <adej...@debian.org> (supplier of updated nss-pam-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 19 Feb 2018 21:00:00 +0100
Source: nss-pam-ldapd
Binary: nslcd pynslcd libnss-ldapd libpam-ldapd nslcd-utils
Architecture: source amd64 all
Version: 0.9.9-1
Distribution: unstable
Urgency: medium
Maintainer: Arthur de Jong <adej...@debian.org>
Changed-By: Arthur de Jong <adej...@debian.org>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
libpam-ldapd - PAM module for using LDAP as an authentication service
nslcd - daemon for NSS and PAM lookups using LDAP
nslcd-utils - utilities for querying LDAP via nslcd
pynslcd - daemon for NSS and PAM lookups via LDAP - Python version
Closes: 890508
Changes:
nss-pam-ldapd (0.9.9-1) unstable; urgency=medium
.
* new upstream release:
- support spaces in attribute mapping expressions
- allow parsing longer lines in the configuration file
- allow for longer host names (closes: #890508)
* upgrade to debhelper compatibility level 7
* upgrade to standards-version 4.1.3 (change package priority to optional)
* do not run test suite if DEB_BUILD_OPTIONS contains nocheck
Checksums-Sha1:
8d4681ed7959ab0df1c1c4dd245764819dc983f0 2392 nss-pam-ldapd_0.9.9-1.dsc
9d1bc839cf1b9a2ee9c6c927b8855031a6251d1e 772059 nss-pam-ldapd_0.9.9.orig.tar.gz
2418d44b672bf8f985f73c3b1966ed63da55d049 132048
nss-pam-ldapd_0.9.9-1.debian.tar.xz
0513962b5f8e37512f834b729f658f101356e067 45364
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
fa61ac5252d1eb27f5dcb402f430bb9aa4d84e20 69172 libnss-ldapd_0.9.9-1_amd64.deb
61867f6aebc21b458f1c05947bc2413a15f593d8 26040
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
4f19a522cbb6545f8f8a588d23886fd61424670e 57512 libpam-ldapd_0.9.9-1_amd64.deb
ccefb048f115f452a22da72bcaec229abd41878b 187784 nslcd-dbgsym_0.9.9-1_amd64.deb
4286d1fbe6ab8ca1f52d69a634516773bec8aed3 54512 nslcd-utils_0.9.9-1_all.deb
9d381a0cd3e0252575ceb0d340f53e1c886c7939 206516 nslcd_0.9.9-1_amd64.deb
660ba52fdb483ae53d1ffc4328a338413ea98c82 10226
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
ba2a298d95ffd8917ac87391bcb57c2e45fb3f05 165752 pynslcd_0.9.9-1_all.deb
Checksums-Sha256:
e1450154e88d23722036514a58382bc3061e1508fb66a97b4d670766fa2b3359 2392
nss-pam-ldapd_0.9.9-1.dsc
20ca6a43509cb8b20c370bb1501f279ee633bc0db9f4c21a877a8d47e5c447d2 772059
nss-pam-ldapd_0.9.9.orig.tar.gz
c6872f49d22111c6dc870310a3b48b30603f47dd27239000ee1da0c987d306b0 132048
nss-pam-ldapd_0.9.9-1.debian.tar.xz
f3a3f2b24bbc494c03e6cfcd5201b3bb8e4bda51ea8b77ac942d7c6bef4fa00d 45364
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
260f53673aaa241043b16c1596524e5d07bb018ec806db5d8bd94d1810c9ec35 69172
libnss-ldapd_0.9.9-1_amd64.deb
265f17e1fcf87a6c10b1a2d9111dee08089f64d7dcabeb5cf9aa2967a0e7d31d 26040
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
d4848f952841745631561e1d3acb2e9b55c523c847e617456f13d4bec62f5eb9 57512
libpam-ldapd_0.9.9-1_amd64.deb
409283e5c02b9cffa40bd6ea55b6363762f71fd25a9a9b8fb49d676b11c2fdab 187784
nslcd-dbgsym_0.9.9-1_amd64.deb
1188720d4978ae48e852029a58f7637c04b9ae6d2aa1adf1339a70b0551a5dd5 54512
nslcd-utils_0.9.9-1_all.deb
f84b4885cccafee5e058bc5f96c6add2d7d1a397741097196ff316f02b1d6d5f 206516
nslcd_0.9.9-1_amd64.deb
f674c2ff8a2895affce0097e2894ab3ba3295c8c25a8094d62ee8ccbafb57047 10226
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
9b3b4ad1631f4a87cf523f7d1f177e33a7e0b391f5af4689c60b17cbc1f42f74 165752
pynslcd_0.9.9-1_all.deb
Files:
ed32477b55bf1dbd7713ef5d01f22330 2392 admin optional nss-pam-ldapd_0.9.9-1.dsc
fc01f2ff2aa3ae2ea3f3e347b7c57745 772059 admin optional
nss-pam-ldapd_0.9.9.orig.tar.gz
6159d32319ce3cfa784571648a5b5b32 132048 admin optional
nss-pam-ldapd_0.9.9-1.debian.tar.xz
89c85091da876059ff7d671efe109af3 45364 debug optional
libnss-ldapd-dbgsym_0.9.9-1_amd64.deb
247633319d698a50aaea21edab1a45cc 69172 admin optional
libnss-ldapd_0.9.9-1_amd64.deb
57f176fe4d52795bb1cf4079527ab674 26040 debug optional
libpam-ldapd-dbgsym_0.9.9-1_amd64.deb
35056b869956c2e08921aa499a159a6a 57512 admin optional
libpam-ldapd_0.9.9-1_amd64.deb
96a293fe44232f0cdec69f0ed3664073 187784 debug optional
nslcd-dbgsym_0.9.9-1_amd64.deb
28f2f2e0b27e7cf267bc7d7e093f22fc 54512 admin optional
nslcd-utils_0.9.9-1_all.deb
ea5696048b27361e0367cb9eb21ccc90 206516 admin optional nslcd_0.9.9-1_amd64.deb
b20a09c21319c350dbb8c58cccdb13f7 10226 admin optional
nss-pam-ldapd_0.9.9-1_amd64.buildinfo
aa0d19c85738b35f6af6f5e8e53930fc 165752 admin optional pynslcd_0.9.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERS7Cy2XPaMKhrb9fKot0aBDgr8EFAlqLLOsACgkQKot0aBDg
r8FvIBAAlC8QLp4RHGO0pyUWm758nYW853EfSBV4UCBEeuRMsxJxm1vHGBSlFOPN
eMc4/4sA9xsWiiVMJsqcovbbH17bbnSf4dtBgv9+g3ufUNWIw4DGDsFqxqTp+t2h
+ekcerY+j6XTfAJnZ26SWEwYNZbNt7fPnrHk914vuGahRpGcrUKtaU2i2XfgbAHo
tpM1WJ8i/pnSO9aruntknIk5YJhSY0tAokkq2FDmjN8y+0/Yqqdp9g7JUgZpQ2oy
f6Nh3wI9ssrAZAo24lIqnJv1U2YzWjtJ0GcweP6f9SljIbfuh0sFmsMF1vHxhLl2
YPOA107vC/626hAQ5i2c+YGJ8G/Hwd34p439hWotX7a8Kpc7AQ1wBS75LtDEeulu
vlEvpMcqFed6cLcnfmdl+jxWydO4VtaykCJLpwvp3rygRXPORd1WzF5OR/0V3gl/
NktCQ86FclMoOwuD9HCltv+3U9EU7lFxF4Jy/oxN0v2P7zFNyErLEabenVuzTkuX
3M/c9O3PxUGwUSZm6MDz5w716zWnZHnftjjiiAEZlm9leJdf9o2kniDIqQcChHAk
r725ljBFgmW75zYBAFkB1PB/FD3C2Sj6+aC/gxbwbNDAhmffLQDLV5o4GbbhYb3s
1QjCBFvPsU3JFcjR+31o8BlLib1timEtpaQPeg+Y7QxZW5mAnnU=
=oOHa
-----END PGP SIGNATURE-----
--- End Message ---