[Bug 1840241] [NEW] ocserv pam groups are limited to 32

Thu, 15 Aug 2019 02:50:50 -0700 

Public bug reported:

pam_auth group selection issue with more than 32 groups membership
We have got an issue with group selection when an account has more than 32 
connected linux groups with it. User with memberships 33 and more groups 
successfully authenticate but pass to a default group with no custom routes. I 
guess, so it's an pam module issue, but have no idea how to fix it.

----config file ----
/etc/ocserv/ocserv.conf
auth = "pam[gid-min=10000]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
cookie-rekey-time = 14400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = false
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
compression = true

ipv4-network = 10.130.136.0/24

ping-leases = false
#restrict-user-to-routes = true
append-global-routes = false

select-group = SA
select-group = Users
auto-select-group = false
config-per-user = /etc/ocserv/config-per-user
config-per-group = /etc/ocserv/config-per-group

route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"

cisco-client-compat = true

---pam module---
/etc/pam.d/ocserv 
#%PAM-1.0
auth     sufficient pam_ldap.so debug
account  sufficient pam_ldap.so debug
password sufficient pam_ldap.so debug

---affected user---
Please enter your username.
Username:******
POST https://************/auth
> POST /auth HTTP/1.1
> Host: ***********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 234
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version 
> who="vpn">v7.06</version><device-id>linux-64</device-id><auth><username>******</username></auth><group-select>SA</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Max-Age=300; Secure
Content-Type: text/xml
Content-Length: 310
X-Transcend-Version: 1
HTTP body length:  (310)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <version who="sg">0.1(1)</version>
< <auth id="main">
< <message>Please enter your password.</message>
< <form method="post" action="/auth">
< <input type="password" name="password" label="Password:" />
< </form></auth>
< </config-auth>
Please enter your password.
Password:
POST https://************/auth
> POST /auth HTTP/1.1
> Host: *********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 209
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version 
> who="vpn">v7.06</version><device-id>linux-64</device-id><auth><password>******</password></auth></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-Version: 1
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Secure
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:6260E353917A21CE78512A34BBD88075DD2B519D; 
path=/; Secure
HTTP body length:  (189)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="complete">
< <version who="sg">0.1(1)</version>
< <auth id="success">
< <title>SSL VPN Service</title></auth></config-auth>
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: ***************
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: 
> webvpn=+oCba/+cb3XchxQ3zYW0nMO37/YB9cGN2JBFzv3FdGFe0Xx1ZNbvPjoejh5VGPlC2EF8VE5fjLcERfN88Vh7L5M7VTNClfPIaHzkCb7jblIgXQ==
> X-CSTP-Version: 1
> X-CSTP-Hostname: box3
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-MTU: 1406
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
> X-DTLS-Master-Secret: 
> B1AB2E0AE81A306466F2F75347A9E1CE8FBDBA4535CCDD6C97D28D990C0207947D0EB83F2145DFCE6C04D701DF947778
> X-DTLS-CipherSuite: 
> OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
> X-DTLS-Accept-Encoding: oc-lz4,lzs
> 
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.10.11
X-CSTP-DPD: 90
X-CSTP-Default-Domain: ******************
X-CSTP-Base-MTU: 1355
X-CSTP-Address: 10.130.136.29
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172813
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-Session-ID: 
afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172823
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-CipherSuite: OC-DTLS1_2-AES128-GCM
X-DTLS-MTU: 1289
X-CSTP-MTU: 1289
X-DTLS-Content-Encoding: oc-lz4
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
DTLS option X-DTLS-Session-ID : 
afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
DTLS option X-DTLS-DPD : 90
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172823
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 32400
DTLS option X-DTLS-CipherSuite : OC-DTLS1_2-AES128-GCM
DTLS option X-DTLS-MTU : 1289
DTLS option X-DTLS-Content-Encoding : oc-lz4
DTLS initialised. DPD 90, Keepalive 32400
Connected tun0 as 10.130.136.29, using SSL + lz4
Established DTLS connection (using GnuTLS). Ciphersuite 
(DTLS1.2)-(RSA)-(AES-128-GCM).


Resolution:
There is a definition in sec-mod.h which limits MAX_GROUPS to 32.
Please, recreate package with #define MAX_GROUPS 65535

** Affects: ocserv (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840241

Title:
  ocserv pam groups are limited to 32

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ocserv/+bug/1840241/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to