Cyberduck Mountain Duck CLI

#9872 closed defect (worksforme)

PAM authentication failure

Reported by: redsox38 Owned by: dkocher
Priority: normal Milestone: 5.4.1
Component: irods Version: 5.4
Severity: major Keywords: irods pam
Cc: Architecture: Intel
Platform: macOS 10.12

Description

cyberduck can no longer connect ot iRODS backends that use PAM for authentication. Last known working version was 5.2.2. The issue appears to be that the "pam:" string that was prefixed to the user name in previous versions is now passed through to the backend as part of the user name rather than being stripped off and used to request pam authentication from the backend.

Change History (11)

comment:1 Changed 16 months ago by dkocher

  • Milestone set to 5.3.10
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed 16 months ago by dkocher

  • Summary changed from irods pam support broken in 5.3.9 to PAM authentication failure

comment:3 Changed 16 months ago by dkocher

Can you make sure you use an uppercase PAM: prefix.

comment:4 Changed 16 months ago by redsox38

Confirmed, even with "PAM:" as the prefix I get "Error code received from iRODS:-319000." in the client and the server logs

Mar  7 14:36:06 pid:53043 NOTICE: Agent process 158616 started for puser=PAM:tmerritt and cuser=PAM:tmerritt from XXX.XXX.XXX.XXX
Mar  7 14:36:07 pid:158616 NOTICE: rsAuthCheck: chlCheckAuth status = -319000
Mar  7 14:36:07 pid:158616 ERROR: [-]	iRODS/server/api/src/rsAuthResponse.cpp:74:rsAuthResponse :  status [USER_INVALID_USERNAME_FORMAT]  errno [] -- message []
	[-]	libnative.cpp:394:native_auth_agent_response :  status [USER_INVALID_USERNAME_FORMAT]  errno [] -- message [rcAuthCheck failed.]

Mar  7 14:36:11 pid:53043 ERROR: readWorkerTask - readStartupPack failed. -4000
Mar  7 14:36:11 pid:53043 ERROR: readWorkerTask - readStartupPack failed. -4000
Mar  7 14:36:11 pid:158616 ERROR: [-]	iRODS/server/core/src/rsApiHandler.cpp:520:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []
	[-]	iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
		[-]	libtcp.cpp:197:tcp_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [only read [0] of [4]]

Last edited 16 months ago by dkocher (previous) (diff)

comment:5 Changed 16 months ago by dkocher

  • Milestone changed from 5.3.10 to 5.4

Milestone renamed

comment:6 Changed 16 months ago by dkocher

Duplicate in #9826.

comment:7 Changed 16 months ago by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r38419.

comment:9 Changed 16 months ago by dkocher

Documentation for the new Authorization property in the connection profile for Cyberduck is in https://trac.cyberduck.io/wiki/help/en/howto/irods#AuthenticationwithPAMscheme

comment:10 Changed 16 months ago by redsox38

  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Version changed from 5.3.9 to 5.4

After upgrading to 5.4.0 it still fails for me. With version 5.3.9, the failed logins looked like

Mar  7 14:36:06 pid:53043 NOTICE: Agent process 158616 started for puser=PAM:tmerritt and cuser=PAM:tmerritt from xxx.xxx.xxx.xxx

after upgrading to 5.4.0 they look like

Mar 13 12:54:44 pid:53043 NOTICE: Agent process 28133 started for puser=PAM:tmerritt and cuser=tmerritt from xxx.xxx.xxx.xxx

but I still get an error authenticating:

Mar 13 13:03:31 pid:28298 ERROR: [-]	iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message []
	[-]	libpam.cpp:421:pam_auth_agent_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [pam auth check failed]

Mar 13 13:03:31 pid:28298 ERROR: [-]	iRODS/server/core/src/rsApiHandler.cpp:520:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []
	[-]	iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
		[-]	libssl.cpp:577:ssl_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [read 0 expected 4]

FWIW, I can authenticate using the iRODs cloud browser using pam and those login records look like

Mar 13 12:57:04 pid:53043 NOTICE: Agent process 28208 started for puser=tmerritt and cuser=tmerritt from xxx.xxx.xxx.xxx

Thanks

Last edited 16 months ago by dkocher (previous) (diff)

comment:11 Changed 15 months ago by dkocher

  • Milestone changed from 5.4 to 5.4.1
  • Resolution set to worksforme
  • Status changed from reopened to closed

Please use the new property Authorization in the profile to select PAM for authentication. Refer to https://trac.cyberduck.io/wiki/help/en/howto/irods#AuthenticationwithPAMscheme

Note: See TracTickets for help on using tickets.
swiss made software