MAVIS and PAP Authentication

[Aleksey Mochalin]

Dear Marc,

I have an issue with MAVIS and PAP authentication.

Here is a working config for local tacacs user with authentication via LDAP:

  user = palo_test {

    login = mavis # LDAP

    member = group3

    pap = login # Clone login

  } 

But when I try to create config via MAVIS I have an error.

Here is MAVIS request and response:

0 TACPLUS

3 1447996134

4 je5

8 <password>

14 10.0.0.1

21 imzkdEsk+OUZwT4FZD0mDg=

25 10.0.0.1

27 default

49 AUTH

0 TACPLUS

3 1447996134

4 je5

6 ACK

8 <password>

14 10.0.0.1

21 imzkdEsk+OUZwT4FZD0mDg=

25 10.0.0.1

27 default

47 "tacacs-pa-su"

48 { login = mavis  pap = login }

49 AUTH

Here is the log:

Nov 16 16:31:46 tacgui systemd[1]: Started LSB: Starts and stops the tac_plus server process..

Nov 16 16:31:46 tacgui tac_plus[30793]: epoll event notification mechanism is being used

Nov 16 16:31:46 tacgui tac_plus[30793]: bind to [::]:49 succeeded

Nov 16 16:31:46 tacgui tac_plus[30795]: - Version 202011081300 initialized

Nov 16 16:31:46 tacgui tac_plus[30795]: epoll event notification mechanism is being used

Nov 16 16:31:46 tacgui tac_plus[30794]: - Version 202011081300 initialized

Nov 16 16:31:46 tacgui tac_plus[30794]: epoll event notification mechanism is being used

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 authen: hdr->seq_no: 1

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 looking for user je5 realm default

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 user lookup failed

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 Error profile for user je5 conflicts with MAVIS authentication

Nov 16 16:32:12 tacgui tac_plus[30794]: 10.0.0.1 Error profile for user je5 conflicts with MAVIS authentication

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 Error ('pap backend = mavis' at realm or global level or 'password pap = mavis' in the user profile may be required)

Nov 16 16:32:12 tacgui tac_plus[30794]: 10.0.0.1 Error ('pap backend = mavis' at realm or global level or 'password pap = mavis' in the user profile may be required)

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 looking for user je5 realm default

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 cfg_get: checking user/group je5, tag (NULL)

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 cfg_get: checking user/group tacacs-pa-su, tag (NULL)

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 user lookup succeded

Nov 16 16:32:12 tacgui tac_plus[30794]: 0/564eaae6: 10.0.0.1 pap login for 'je5' from 10.0.0.1 failed (denied)

Nov 16 16:32:12 tacgui tac_plus[30794]: 10.0.0.1 pap login for 'je5' from 10.0.0.1 failed (denied)

Where did I make mistake?

Regards, Alexey

[Marc Huber]

Hi Aleksey,

On 17.11.20 09:52, Aleksey Mochalin wrote:
> I have an issue with MAVIS and PAP authentication.

nice find, I apparently messed up the recursive lookup there. Does

diff -u -r1.385 authen.c
--- authen.c    2020/11/11 18:07:53    1.385
+++ authen.c    2020/11/17 17:33:40
@@ -621,7 +621,7 @@
     if (session->user) {
     *pwdat = session->passwdp->passwd[*pw_ix];
     if ((*pwdat)->type == S_login) {
-        *pw_ix = PW_LOGIN;
+        *pw_ix = session->passwdp->passwd[PW_LOGIN]->type;
         *pwdat = session->passwdp->passwd[*pw_ix];
     }
     if ((*pwdat)->type == S_mavis) {

work any better? (I didn't even test this, but it should at least compile.)

Optionally, "pap = mavis" should give the right result, too.

Thanks,

Marc

[Aleksey Mochalin]

Dear Marc,

Thank you. Unfortunately this change broke your code. :)

Nov 17 23:13:20 tacgui tac_plus[27241]: - Version 202011081300 initialized

Nov 17 23:13:20 tacgui tac_plus[27241]: epoll event notification mechanism is being used

Nov 17 23:13:20 tacgui tac_plus[27241]: 0/553d82c6: 10.8.0.220 authen: hdr->seq_no: 1

Nov 17 23:13:20 tacgui tac_plus[27241]: 0/553d82c6: 10.8.0.220 looking for user palo1 realm default

Nov 17 23:13:20 tacgui tac_plus[27241]: 0/553d82c6: 10.8.0.220 cfg_get: checking user/group palo1, tag (NULL)

Nov 17 23:13:20 tacgui tac_plus[27241]: 0/553d82c6: 10.8.0.220 user lookup succeded

Nov 17 23:13:20 tacgui tac_plus[27241]: Catched SIGSEGV

Nov 17 23:13:20 tacgui tac_plus[27241]: Apologies ... this shouldn't have happened. Please verify that

Nov 17 23:13:20 tacgui tac_plus[27241]: you are running the most current version, downloadable from

Nov 17 23:13:20 tacgui tac_plus[27241]:     http://www.pro-bono-publico.de/projects/

Nov 17 23:13:20 tacgui tac_plus[27241]: If the version on that site doesn't equal

Nov 17 23:13:20 tacgui tac_plus[27241]:     202011081300

Nov 17 23:13:20 tacgui tac_plus[27241]: please download, compile, install and check if you're

Nov 17 23:13:20 tacgui tac_plus[27241]: still seeing the crash. After all, this bug may be already fixed.

Nov 17 23:13:20 tacgui tac_plus[27241]: If the issue persists even with the most recent version:

Nov 17 23:13:20 tacgui tac_plus[27241]: Reconfigure with --debug, recompile and reinstall. Then send

Nov 17 23:13:20 tacgui tac_plus[27241]: a bug report to the mailing-list at

Nov 17 23:13:20 tacgui tac_plus[27241]:     event-driv...@googlegroups.com

Nov 17 23:13:20 tacgui tac_plus[27241]: and include the backtraces.

Nov 17 23:13:20 tacgui tac_plus[27241]: Please do NOT mail bug reports it to the private mail address of

Nov 17 23:13:20 tacgui tac_plus[27241]: the author, unless you have a pretty good reason for doing so.

Nov 17 23:13:20 tacgui tac_plus[27241]: Thank you.

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: backtrace start

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 10 [0x55b5b36dd72a]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 9 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f7c38bcdb97]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 8 [0x55b5b36f9e34]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 7 /usr/local/sbin/../lib/libmavis.so(io_main+0x3c) [0x7f7c3945b1e8]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 6 /usr/local/sbin/../lib/libmavis.so(io_poll+0x1e8) [0x7f7c39457b3d]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 5 [0x55b5b36fe4c4]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 4 [0x55b5b36e3c65]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 3 [0x55b5b36e24d8]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 2 [0x55b5b36dfbfa]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 1 /lib/x86_64-linux-gnu/libc.so.6(+0x3ef20) [0x7f7c38beaf20]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: 0 /usr/local/sbin/../lib/libmavis.so(catchsegv+0x18c) [0x7f7c3946a7d0]

Nov 17 23:13:20 tacgui tac_plus[27241]: EXECINFO: backtrace end

Nov 17 23:13:20 tacgui tac_plus[27241]: GDB: running: "(printf 'bt#012q#012';sleep 3)|gdb -n -q -p $CRASHPID 2>/dev/null"

Nov 17 23:13:20 tacgui tac_plus[27241]: GDB: backtrace start

Nov 17 23:13:23 tacgui tac_plus[27241]: GDB: backtrace end

Changed this line back and everything works as it was. :)

Regards, Alexey

[Marc Huber]

Hi Aleksey,

On 17.11.20 21:17, Aleksey Mochalin wrote:

Thank you. Unfortunately this change broke your code. :)

yepp. Plus, I think I misunderstood the original issue. Please try

--- mavis.c    2017/08/02 17:11:12    1.134
+++ mavis.c    2020/11/18 17:25:06
@@ -262,6 +262,8 @@
         if (strcmp(session->mavis_data->mavistype, AV_V_TACTYPE_INFO) && pp[session->mavis_data->pw_ix])
             switch (session->mavis_data->pw_ix) {
             case PW_PAP:
+            if (pp[session->mavis_data->pw_ix]->type == S_login)
+                pp[session->mavis_data->pw_ix]->type = pp[PW_LOGIN]->type;
             case PW_LOGIN:
             if (pp[session->mavis_data->pw_ix]->type != S_mavis) {
                 /* Authenticated via backend, but the profile tells otherwise */

instead. This one should give the expected result.

Thanks,

Marc

[Aleksey Mochalin]

Hello Marc,

Perfect, as expected. Thank you!

Have a good day!

Regards, Aleksey