java application hangs

[lou.de...@gmail.com]

I have a simple java application like so:

String userid = args[0];

String password = args[1];

UnixUser u = new PAM("sshd").authenticate(userid, password);

info(Result.success, "groups = "+u.getGroups().toString());

Runs fine on Red Hat 7.1 and Ubuntu 14.04 both with jdk 1.7:

[degenaro@myhost admin]$ ./pam_test

User: degenaro

Password:

failure pam_authenticate failed : Authentication failure

This is the expected result and was achieved using jna-4.0.0.jar.

Replacing 4.0.0 with 4.2.2 or 4.3.0 results in the same result (good!) but the jvm hangs (no so good) and in fact not even a ctl-C is effective.  Have to open another terminal and kill -9 the hung process.

What might I be doing wrong?

Thanks.

Lou.

[Matthias Bläsing]

Hey,

Am Mittwoch, 8. Februar 2017 15:47:39 UTC+1 schrieb lou.de...@gmail.com:

I have a simple java application like so:

String userid = args[0];

String password = args[1];

UnixUser u = new PAM("sshd").authenticate(userid, password);

info(Result.success, "groups = "+u.getGroups().toString());

Replacing 4.0.0 with 4.2.2 or 4.3.0 results in the same result (good!) but the jvm hangs (no so good) and in fact not even a ctl-C is effective.  Have to open another terminal and kill -9 the hung process.

What might I be doing wrong?

You did not specify wich pam4j version you are using. The HEAD revision had a GC problem and that might nuke your process.

This is a fixed version:

https://github.com/vinseon/libpam4j

I ran that on ubuntu with openjdk8 and and JNA 4.3.0 and that works .

HTH

Matthias

[lou.de...@gmail.com]

Using libpam4j-1.7.jar, is that bad?

Thanks.

Lou.

[Matthias Bläsing]

Hey,

Am Mittwoch, 8. Februar 2017 20:39:43 UTC+1 schrieb lou.de...@gmail.com:

Using libpam4j-1.7.jar, is that bad?

Yes - that version:

- uses getpwnam, which is not threadsave and
- does not properly protext the PamCallback from premature GC

as far as I know no released version holds the fixes. I suggest to build from the referenced repository and/or apply the patches:

https://github.com/matthiasblaesing/libpam4j/commit/d16d97fc317b5901eb10d0a6084049260a85a37d
https://github.com/matthiasblaesing/libpam4j/commit/afcc12286a2ce0aebb1c5a91293c0fe4ee28a0d3

yourself and build that.

Greetings

Matthias

[lou.de...@gmail.com]

I was very hopeful, but in the end there is no improvement.  I fetched the source code to libpam4j and built the jar file:

[degenaro@myhost admin]$ ls ../lib/libpam4j/
libpam4j-1.9-SNAPSHOT.jar

I tried using:

[degenaro@myhost admin]$ ls ../lib/jna/
jna-4.0.0.jar

Still works as before as expected, no hang:

[degenaro@myhost admin]$ ./pam_test2

User: degenaro
Password:
failure pam_authenticate failed : Authentication failure

I tried using:

[degenaro@myhost admin]$ ls ../lib/jna/
jna-4.3.0.jar

Yields same result but hangs, just like with jna-4.2.2.jar.  ctl-C does not work.  Have to kill -9 the jvm.

Lou.

[lou.de...@gmail.com]

Just to clarify, using jna-4.0.0.jar always works while using either jna-4.2.2.jar or jna-4.3.0.jar always hangs, regardless of which libpam4j.jar is used.

Is there some tracing I can turn on for debug?

Lou.

[Matthias Bläsing]

Hey,

Am Donnerstag, 9. Februar 2017 22:06:11 UTC+1 schrieb lou.de...@gmail.com:

I was very hopeful, but in the end there is no improvement.  I fetched the source code to libpam4j and built the jar file:

which repository did you use for the build?

Can you point me to your full code? I trimmed your sample to the minimum and your code can't be the complete code.

You can try to use strace to see if something sensible can be seen when it hangs.

Greetings

Matthias

[lou.de...@gmail.com]

I went here:  https://github.com/matthiasblaesing/libpam4j

and used svn co according to the green button "clone or download" button: https://github.com/matthiasblaesing/libpam4j.git

The "pamTest" code employing these jars is actually part of Apache UIMA DUCC downloadable from here: http://uima.apache.org/downloads.cgi#Latest%20Official%20Releases

PamTest
package org.apache.uima.ducc.ws.authentication;
public class PamTest {
    public static void main(String[] args) {
        PamAuthenticate instance = new PamAuthenticate();
        instance.launch(args, true);
    }
}

PamAuthenticate
package org.apache.uima.ducc.ws.authentication;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.UnixUser;
public class PamAuthenticate {
    private enum Result { success, failure };
        private void info(Result result, String text) {
        System.out.println(result.name()+" "+text);
    }
    /*
     * See UserAuthentciate.
     */
    protected void launch(String[] args, boolean verbose) {
        try {
            if(args == null) {
                info(Result.failure, "args==null");
            }
            else if(args.length != 2) {
                info(Result.failure, "args.length!=2");
            }
            else if(args[0] == null) {
                info(Result.failure, "args[0]==null");
            }
            else if(args[1] == null) {
                info(Result.failure, "args[1]==null");
            }
            else {

                String userid = args[0];
                String password = args[1];
                UnixUser u = new PAM("sshd").authenticate(userid, password);
                info(Result.success, "groups = "+u.getGroups().toString());
            }
        }

        catch(Throwable t) {
            info(Result.failure,t.getMessage());
            if(verbose) {
                t.printStackTrace();
            }
        }
    }
    public static void main(String[] args) {
        PamAuthenticate instance = new PamAuthenticate();
        instance.launch(args, false);
    }
}

Lou.

[Matthias Bläsing]

 Hey,

sorry I still can't reproduce. I pushed now a complete sample to github:

https://github.com/matthiasblaesing/pam4jtest.git

You can build a standalone jar by checking the code above out and running "mvn package".

A prebuild jar can be found here:

http://doppel-helix.eu/pamtest-jar-with-dependencies.jar

Usage:

java -jar pamtest-jar-with-dependencies.jar <enable_memory_protection>

Without memory protection enabled: java -jar pamtest-jar-with-dependencies.jar
With memory protection enabled: java -jar pamtest-jar-with-dependencies.jar true

Observations:

Without memory protection the test runs correctly, if auth succeeds and if not. With protectection enabled I get an Invalid memory access Error.

Sample run (successful authentication):

matthias@athena:~/src/pamtest/target$ java -jar pamtest-jar-with-dependencies.jar                                              
Protection enabled: false
UserId: matthias
Password:
Shell:  /bin/bash
Groups: [plugdev, matthias, dip, adm, cdrom, vboxusers, lpadmin, wireshark, libvirtd, bluetooth, dialout, sudo, sambashare]
matthias@athena:~/src/pamtest/target$

Sampel run (unsuccressful authentication):

matthias@athena:~/src/pamtest/target$ java -jar pamtest-jar-with-dependencies.jar
Protection enabled: false
UserId: matthias
Password:
Exception in thread "main" org.jvnet.libpam.PAMException: pam_authenticate failed : Legitimierungsfehler
        at org.jvnet.libpam.PAM.check(PAM.java:107)
        at org.jvnet.libpam.PAM.authenticate(PAM.java:125)
        at eu.doppel_helix.dev.pamtest.Pam4JTest.main(Pam4JTest.java:17)
matthias@athena:~/src/pamtest/target$

And the final broken run:

matthias@athena:~/src/pamtest/target$ java -jar pamtest-jar-with-dependencies.jar true
Protection enabled: true
UserId: k
Password:
Exception in thread "main" java.lang.Error: Invalid memory access
matthias@athena:~/src/pamtest/target$

I don't consider the last run as problematic. The memory protection is last-resort code, that is not enabled by default (on anything non-windows). I basicly messes with the signal handlers and considering that the JDK and PAM both have valid reasons to handle them themselfes I'm not to surprised (although it is strange, that I don't see the error with the Zulu OpenJDK 7 build).

So please check the repository and see if that helps.

If not please give the output of the test runs and also the output of "java -cp pamtest-jar-with-dependencies.jar com.sun.jna.Native ".

Greetings

Matthias

[lou.de...@gmail.com]

[degenaro@myhost ~]$ java -jar pamtest-jar-with-dependencies.jar
Protection enabled: false
UserId: degenaro
Password:
Exception in thread "main" org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

    at org.jvnet.libpam.PAM.check(PAM.java:107)
    at org.jvnet.libpam.PAM.authenticate(PAM.java:125)
    at eu.doppel_helix.dev.pamtest.Pam4JTest.main(Pam4JTest.java:17)

Gave invalid PW.  Hangs after printing above exception.  Cannot ctl-C to get out.

Lou.

[lou.de...@gmail.com]

Also hangs if good PW is specified:

[degenaro@myhost ~]$ java -jar pamtest-jar-with-dependencies.jar
Protection enabled: false
UserId: degenaro
Password:

Shell:  /bin/bash
Groups: group1, users, group2]

Authentication works, but terminal is hung.  Same result (hang) if protection true is specified with either good or bad PW.

Lou.

[Matthias Bläsing]

Hey,

Am Mittwoch, 15. Februar 2017 22:48:02 UTC+1 schrieb lou.de...@gmail.com:

Also hangs if good PW is specified:

Authentication works, but terminal is hung.  Same result (hang) if protection true is specified with either good or bad PW.

Three things come to mind:

- run with the java debugger agent actived and see if you can reproduce the problem and if so if you can connect with the debugger
- test with a clean distribution (debian base system for example) to pin-point problems in distribution libraries
- test with a reduced PAM runtime (either with a clean new system or by modifying your PAM config)

HTH

Matthias

[Matthias Bläsing]

Another suggestion: Maybe your PAM modules mess with signal handlers and if they do, they will interfere with the ones used be the JRE.

https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/signals003.html

I checked on ubuntu and they distribute a bundled libjsig.so with the JDK.

Greetings

Matthias