Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAM authentication failure #9872

Closed
cyberduck opened this issue Mar 7, 2017 · 9 comments
Closed

PAM authentication failure #9872

cyberduck opened this issue Mar 7, 2017 · 9 comments
Assignees
@dkocher
Labels
bug irods IRODS Protocol Implementation worksforme
Milestone
5.4.1

Comments

@cyberduck
Copy link
Collaborator

fc48795 created the issue

cyberduck can no longer connect ot iRODS backends that use PAM for authentication. Last known working version was 5.2.2. The issue appears to be that the "pam:" string that was prefixed to the user name in previous versions is now passed through to the backend as part of the user name rather than being stripped off and used to request pam authentication from the backend.
@cyberduck
Copy link
Collaborator Author

@dkocher commented

Can you make sure you use an uppercase PAM: prefix.

@cyberduck
Copy link
Collaborator Author

fc48795 commented

Confirmed, even with "PAM:" as the prefix I get "Error code received from iRODS:-319000." in the client and the server logs

Mar  7 14:36:06 pid:53043 NOTICE: Agent process 158616 started for puser=PAM:tmerritt and cuser=PAM:tmerritt from XXX.XXX.XXX.XXX
Mar  7 14:36:07 pid:158616 NOTICE: rsAuthCheck: chlCheckAuth status = -319000
Mar  7 14:36:07 pid:158616 ERROR: [-]	iRODS/server/api/src/rsAuthResponse.cpp:74:rsAuthResponse :  status [USER_INVALID_USERNAME_FORMAT]  errno [] -- message []
	[-]	libnative.cpp:394:native_auth_agent_response :  status [USER_INVALID_USERNAME_FORMAT]  errno [] -- message [rcAuthCheck failed.]

Mar  7 14:36:11 pid:53043 ERROR: readWorkerTask - readStartupPack failed. -4000
Mar  7 14:36:11 pid:53043 ERROR: readWorkerTask - readStartupPack failed. -4000
Mar  7 14:36:11 pid:158616 ERROR: [-]	iRODS/server/core/src/rsApiHandler.cpp:520:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []
	[-]	iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
		[-]	libtcp.cpp:197:tcp_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [only read [0] of [4]]

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Milestone renamed

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Duplicate in #9826.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In 902d920.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Confirmation of fix in DICE-UNC/jargon#224

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Documentation for the new Authorization property in the connection profile for Cyberduck is in https://trac.cyberduck.io/wiki/help/en/howto/irods#AuthenticationwithPAMscheme

@cyberduck
Copy link
Collaborator Author

fc48795 commented

After upgrading to 5.4.0 it still fails for me. With version 5.3.9, the failed logins looked like

Mar  7 14:36:06 pid:53043 NOTICE: Agent process 158616 started for puser=PAM:tmerritt and cuser=PAM:tmerritt from xxx.xxx.xxx.xxx

after upgrading to 5.4.0 they look like

Mar 13 12:54:44 pid:53043 NOTICE: Agent process 28133 started for puser=PAM:tmerritt and cuser=tmerritt from xxx.xxx.xxx.xxx

but I still get an error authenticating:

Mar 13 13:03:31 pid:28298 ERROR: [-]	iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message []
	[-]	libpam.cpp:421:pam_auth_agent_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [pam auth check failed]

Mar 13 13:03:31 pid:28298 ERROR: [-]	iRODS/server/core/src/rsApiHandler.cpp:520:readAndProcClientMsg :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message []
	[-]	iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [failed to call 'read header']
		[-]	libssl.cpp:577:ssl_read_msg_header :  status [SYS_HEADER_READ_LEN_ERR]  errno [] -- message [read 0 expected 4]

FWIW, I can authenticate using the iRODs cloud browser using pam and those login records look like

Mar 13 12:57:04 pid:53043 NOTICE: Agent process 28208 started for puser=tmerritt and cuser=tmerritt from xxx.xxx.xxx.xxx

Thanks

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Please use the new property Authorization in the profile to select PAM for authentication. Refer to https://trac.cyberduck.io/wiki/help/en/howto/irods#AuthenticationwithPAMscheme

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
bug irods IRODS Protocol Implementation worksforme
Projects
None yet
Milestone
5.4.1
Development

No branches or pull requests
2 participants
@dkocher @cyberduck