Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#4227 Pam_conv login fails

1.620
open
nobody
None
5
2013-06-04
2013-05-01
Oliver
No

On Ubuntu 12.04, if pam_conv is enabled users are unable to log into webmin - it rejects them with "Login failed. Please try again."
Upon looking at the logs it shows that webmin is attempting to first log in to PAM with no password (Imediately when user submits username) and then when they submit the password, it attempts to log in with just the pssword nd no username,
perl[31641]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=suolirav
webmin[31648]: Non-existent login as unknown from 109.175.243.163
Oli

Discussion

  • Oliver
    Oliver
    2013-05-01

    • milestone: --> 1.620
     
  • Jamie Cameron
    Jamie Cameron
    2013-05-01

    Could you post or attach your full PAM log file (/var/log/secure or /var/log/authlog)

     
  • Oliver
    Oliver
    2013-05-05

    Here is the log file showing all the events after webmin restart, when which pam_conv was enabled via the webmin config page
    ##############################################################################################
    May 5 16:10:25 olirav perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
    May 5 16:10:27 olirav webmin[26329]: Webmin starting
    May 5 16:10:32 olirav webmin[26416]: Logout by WEBMINUSER from 109.175.243.163
    May 5 16:10:37 olirav perl[26422]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=WEBMINUSER
    May 5 16:10:40 olirav webmin[26423]: Non-existent login as unknown from 109.175.243.163
    ##############################################################################################

    Weirdly the first time I tried this a different result occurred (I am guessing correct one) and I managed to log in.
    The sequence that triggered this was :
    Enable pam_conv via wemin options
    After restart logout
    Immediately try logging in (Starting from session_login.cgi?logout=1)
    #########################################################################################
    May 5 15:49:20 olirav perl[25925]: pam_unix(webmin:session): session opened for user WEBMINUSER by (uid=0)
    May 5 15:49:20 olirav perl[25925]: pam_ck_connector(webmin:session): cannot determine display-device
    May 5 15:49:20 olirav webmin[25926]: Successful login as WEBMINUSER from 109.175.243.163
    #########################################################################################
    However even by repeating this exact sequence I have not been able to replicate this again.

     
  • Jamie Cameron
    Jamie Cameron
    2013-05-06

    Ok .. and I assume by having pam_conv enabled, you mean that in /etc/webmin/miniserv.conf you have the line pam_conv=1 ?

     
  • Oliver
    Oliver
    2013-05-09

    Yep have pam_conv=1 (When testing) and the webmin user is set up to use unix auth as the password. log extrac below shows that webmin is using pam when pam_conv is disabled

    May 9 14:34:18 olirav perl[6490]: pam_unix(webmin:session): session opened for user WEBMIN_USER by (uid=0)
    May 9 14:34:18 olirav webmin[6490]: Successful login as suwebolirav from 127.0.0.1

     
  • Jamie Cameron
    Jamie Cameron
    2013-05-09

    I'm having trouble re-producing this problem. Have you made any changes to the default PAM configuration?

     
  • Oliver
    Oliver
    2013-05-10

    I have made alterations in the past so it is possible, however looking at the moment I don't believe I have made any changes that could effect this;
    Basically I have been attempting to activate 2 facto auth on webmin, but I had difficulty, with it regecting my password - so I tried without the 2 factor enabled and still had the same issues. My webmin PAM file looks like it has always looked:
    #%PAM-1.0
    @include common-auth
    @include common-account
    @include common-password
    @include common-session

    One thing I have thought of that could be an issue in replicating this, is that it is not a clean install of 13.04 (Have updated last weekend - made no difference) and that as such the pam files will mostly have been kept from old versions (Either v10 or v11 I am unsure) so I am planning to get a recent copy of ubuntu to see if these files have been draged though from the past, I will get back over the weekend once I have set up a VM to test this in.

     
  • Jamie Cameron
    Jamie Cameron
    2013-05-11

    Ok, I would be interested to know if a fresh install has this same problem.

     
  • Oliver
    Oliver
    2013-05-13

    Right basically I have installed a copy of ubuntu server 13.04 into a virtual machine, and installed webmin 1.620 via apt repo.

    First I compared the relevant pam files. The only differences were; on my server I didn't have any
    session optional pam_ecryptfs.so unwrap - Think this shoud be irrelivant as I don't use encrypted user home dirs
    session optional pam_ck_connector.so nox11 - Looked interesting
    #################################################
    Anyway now I had a go at replicating the issue, and managed to - these are the exact steps I used.

    Connect to the webmin server & login using a sudoer
    Create new webmin user with same name as unix user (I was currntly logged in as olirav - created with ubuntu install (sudoer))
    password=unix auth
    granting all permissions for webmin modules
    Untick "Users wh can run all commands via sudo to login as root"
    Enable "Support full PAM conversations"
    Save - server restarts
    Logout
    Login as unix user & pass = Login successfull
    Now logout again, go to the root url and try loging in and you should be unable to
    If webmin is restarted it seems possible to complete one sucessfull login, after that it will reject you at either the username or password stage

    ########################################################
    ## Webmin Config diff results (From clean install dir)

    diff /etc/webmin/config /etc/webminclean/config
    20,22d19
    < webprefix=
    < noremember=
    < realname=
    diff /etc/webmin/miniserv.conf /etc/webminclean/miniserv.conf
    35,45c35
    < sudo=
    < pamany=
    < unixauth=
    < pam_end=
    < pam_conv=1
    < blockuser_time=
    < blocklock=
    < blockuser_failures=
    < no_pam=0
    < logouttime=
    < utmp=
    ---
    > sudo=1
    diff /etc/webmin/miniserv.users /etc/webminclean/miniserv.users
    2d1
    < olirav:x:0::::::::
    diff /etc/webmin/webmin.acl /etc/webminclean/webmin.acl
    2d1
    < olirav: {List of modules}

     
  • Jamie Cameron
    Jamie Cameron
    2013-05-13

    What if you just enable "Support full PAM conversations" without creating the additional user?

     
  • Oliver
    Oliver
    2013-06-04

    Sorry have been a little busy for the last month or so.
    Anyway I have tried on the virtual machine and I seem to encounter the same issue without altering any of the user settings -> only changing the pam_conv setting from a fresh install (1.630)
    Oli