#28 second try works for a blocked host

pending-fixed
danta
PAM Module (12)
5
2012-11-12
2012-09-03
No

Hello,
each second authentication for blocked gost work but it shouldn't!

latest version 5.0.0

setup with default config

tail -f /var/log/auth.log
Sep 3 15:54:18 bioinfws14 pam-abl[21452]: Blocking access from xxx to service sshd, user alex
Sep 3 15:54:18 bioinfws14 sshd[21452]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx user=alex
Sep 3 15:54:20 bioinfws14 sshd[21452]: Failed password for alex from 192.168.10.134 port 43508 ssh2
Sep 3 15:54:27 bioinfws14 pam-abl[21452]: Operation not permitted (1) while opening the database environment
Sep 3 15:54:27 bioinfws14 pam-abl[21452]: Operation not permitted (1) while Creating database environment.
Sep 3 15:54:27 bioinfws14 pam-abl[21452]: The database environment could not be opened
Sep 3 15:54:27 bioinfws14 sshd[21452]: pam_unix(sshd:account): account alex has password changed in future
Sep 3 15:54:27 bioinfws14 sshd[21452]: Accepted password for alex from 192.168.10.134 port 43508 ssh2
Sep 3 15:54:27 bioinfws14 sshd[21452]: pam_unix(sshd:session): session opened for user alex by (uid=0)
Sep 3 15:54:29 bioinfws14 sshd[21580]: Received disconnect from 192.168.10.134: 11: disconnected by user
Sep 3 15:54:29 bioinfws14 sshd[21452]: pam_unix(sshd:session): session closed for user alex
Sep 3 15:54:29 bioinfws14 sshd[21452]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx user=alex

#pam_abl
Failed users:
alex (3)
Blocked based on rule [*]
root (1)
Not blocking
toor (2)
Not blocking
Failed hosts:
xxx (6)
Blocked based on rule [*]

what else information can I provide?

Thank you,
Alex

Discussion

<< < 1 2 (Page 2 of 2)
  • strace 4 sshd

     
    Attachments
  • danta
    danta
    2012-09-09

    k, didn't have that much time as I expected, so I just played around with the sshd pam config of my fileserver. Not exactly the same filesystem, berkeley db, ... as you, but it's the best I could do with so little time.

    I could reproduce something that looks like your problem (the symptoms look the same, but the error message is different, although I also get the "DB_REGISTER limits processes to one open DB_ENV handle per environment" message), so I just need your help to be sure it's exactly the same.
    My sshd pam config is based on what you gave me and the default provided by ubuntu:

    # PAM configuration for the Secure Shell service
    auth required pam_env.so # [1]
    auth required pam_env.so envfile=/etc/default/locale
    auth required /home/danta/pam-abl/cmake_build/pam-abl.so config=/tmp/pam-abl/pam_abl.conf
    auth [success=1 default=ignore] pam_unix.so nullok_secure
    auth requisite pam_deny.so
    auth required pam_permit.so
    account required pam_nologin.so
    # Standard Un*x authentication.
    @include common-auth
    # Disallow non-root logins when /etc/nologin exists.
    account required pam_nologin.so
    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    # account required pam_access.so
    # Standard Un*x authorization.
    @include common-account
    # Standard Un*x session setup and teardown.
    @include common-session
    # Print the message of the day upon successful login.
    session optional pam_motd.so # [1]
    # Print the status of the user's mailbox upon successful login.
    session optional pam_mail.so standard noenv # [1]
    # Set up user limits from /etc/security/limits.conf.
    session required pam_limits.so
    # Set up SELinux capabilities (need modified pam)
    # session required pam_selinux.so multiple
    # Standard Un*x password updating.
    @include common-password

    My pam-abl config is:
    db_home=/tmp/pam-abl
    host_db=/tmp/pam-abl/hosts.db
    host_purge=1d
    host_rule=*:2/1h
    user_db=/tmp/pam-abl/users.db
    user_purge=1d
    user_rule=*:2/1h
    limits=1000-1200

    When I want to start an ssh connection I get 3 attempts to authenticate:
    first attempt: wrong password => login failed
    second attempt: wrong password => login failed
    thirth attempt: wrong password => login failed

    If I get the list of blocked users I notice that only one failed attempt is logged. If at any time in these attempts I type in the correct password, login succeeds.
    Given the config I should already be blocked (only two failed attempts our allowed), but this is not the case. If I try to reconnect I get another three attempts:
    first attempt: wrong password => login failed
    second attempt: wrong password => login failed
    thirth attempt: wrong password => login failed

    If I now get the list of blocked users I notice that we now have two failed login attempts for my username. If at any time in these attempts I type in the correct password, login succeeds.

    Only when I now try to reconnect I'm always blocked by pam_abl, even if I use the correct password.

    Does this describe your problem?

    If you want to build pam-abl from source and make can't find your libdb, you can always override the loacation where he looks for it. For example I use the following command to build pam-abl:
    cmake -DDB_INCLUDE_DIR=/db-5.3.15/include/ -DDB_LINK_DIR=/db-5.3.15/lib/ -DDB_LIBRARY=db-5.3 ../

    Btw: thanks for all the time and effort you have put into answering all my questions.
    Best regards,
    Lode

     
  • Petr Písař
    Petr Písař
    2012-09-12

    I'm giving a try to pam_abl-0.5.0 wit db-4.8.30 and I have similar problem.

    My configutaion is:

    #debug
    db_home=/var/lib/abl
    host_db=/var/lib/abl/hosts.db
    host_purge=30d
    host_rule=*:5/1h
    user_db=/var/lib/abl/users.db
    user_purge=30d
    user_rule=!*:5/1h

    My openssh-5.9_p1 server is configured:

    UsePAM yes
    PasswordAuthentication yes
    ChallengeResponseAuthentication no

    and it/PAM allows three consequent attempts an SSH session.

    First failure does not touch database nor log anything into syslog about pam_abl. Second attempt creates empty database (if no database files existed before) and logs the messages about not permitted operation and that the environment could not be opened. Third attempt stores a failure into database but does not log anything about pam_abl into syslog. Result is counter increased by one in the database for the user and the host.

    strace of sshd from second attempt follows.

    -- Petr

    open("/var/lib/abl/DB_CONFIG", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
    stat64("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
    open("/var/lib/abl/__db.register", O_RDWR|O_CREAT|O_LARGEFILE, 0660) = 11
    fcntl64(11, F_GETFD) = 0
    fcntl64(11, F_SETFD, FD_CLOEXEC) = 0
    fcntl64(11, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=1, len=1}, 0xbffb1418) = 0
    fstat64(11, {st_mode=S_IFREG|0640, st_size=50, ...}) = 0
    read(11, " 18572\n", 25) = 25
    write(2, "pam-abl", 7) = 7
    write(2, ": ", 2) = 2
    write(2, "DB_REGISTER limits processes to one open DB_ENV handle per environment", 70) = 70
    write(2, "\n", 1) = 1
    close(11) = 0
    time(NULL) = 1347475204
    socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
    close(11) = 0
    socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = 0
    send(11, "<83>Sep 12 20:40:04 pam-abl[18572]: Operation not permitted (1) while opening the database environment\0", 103, MSG_NOSIGNAL) = 103
    close(11) = 0
    time(NULL) = 1347475204
    socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
    close(11) = 0
    socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = 0
    send(11, "<83>Sep 12 20:40:04 pam-abl[18572]: Operation not permitted (1) while Creating database environment.\0", 101, MSG_NOSIGNAL) = 101
    close(11) = 0
    time(NULL) = 1347475204
    socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket)
    close(11) = 0
    socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC, 0) = 11
    connect(11, {sa_family=AF_FILE, sun_path="/dev/log"}, 110) = 0
    send(11, "<84>Sep 12 20:40:04 pam-abl[18572]: The database environment could not be opened\0", 81, MSG_NOSIGNAL) = 81
    close(11) = 0

     
  • Petr Písař
    Petr Písař
    2012-09-12

    And indeed the DB warning looks like a bug in DB. There <https://forums.oracle.com/forums/thread.jspa?threadID=616763> is 4 years old thread with Oracle support and DB-11g2 changelog mentions similar bug (#18535) as resolved.

     
  • Petr Písař
    Petr Písař
    2012-09-12

    To provide complete diagnosis, I can confirm my issue #2936696 from 0.4.1 now behaves like described in this initial comment. That means even if pam_abl tool reports the host is blocked, first attempt in a session fails properly, but second and third ones pass and I am able to log in with correct password.

     
  • Ok,
    I think I have a clear view on the problem now, and have some ideas on how to fix it. Just don't know yet if they are feasible.

    To solve your problem in the meanwhile, I have a workaround:
    If you set "MaxAuthTries" in your sshd_config to 1, you limit the number of attempts per connection to 1. This should solve the problem.

    Following text is a more technical description of the problem:
    When an application (sshd for example) wants to authenticate a user, it opens a pam_handle and calls authenticate. If pam_abl is needed, we are loaded into memory and we are asked to authenticate the user. In that case we open our db environment and check if the user/host is blocked or not. When authentication finishes, we are asked to cleanup, at which point we look at the authentication result and log it into the db if needed.
    Apparently sshd uses the same pam_handle between the attempts, in which case we are asked multiple times to authenticate a user. Resulting in us trying to open the same db environment multiple times (that's when you see the "The database environment could not be opened" message). Because cleanup is only called when all the attempts have been tried, we only log one failure instead of three.
    I hope this little text explains what goes wrong.

     
  • danta
    danta
    2012-11-12

    Sorry for the long pause. The fix has made it to the git repository, don't know yet when I'm going to release it.

    It took so long because the fix brought up another minor problem that isn't that easy fixed.
    An auth failure is now logged when the pam auth code ends or when a next attempt is evaluated.
    So in the worst case scenario a hacker could open multiple connections and auth once on each one of them and keep the connection open, resulting in no failures logged. Not really practical though because sshd and other deamons usually limit the number of unauthenticated connections from a host, but it's still something I would like to see fixed.

     
  • danta
    danta
    2012-11-12

    • status: open --> pending-fixed
     
<< < 1 2 (Page 2 of 2)