PAM authentication: special characters in password

[Maarten Coonen]

Dear community,

I would like to continue on a post that was made about a year ago regarding the use of a special character in the password: https://groups.google.com/d/msg/irod-chat/BG3HcLwmkm0/bDqOiZEswG8J

We encountered the same issue with linking iRODS to our Active Directory using PAM/LDAP.

It seems that whenever PAM authentication is used, the use of ";" and "=" in passwords are not allowed. The "|" character (as mentioned by Wayne) is not a problem.

When standard iRODS authentication (against iCAT) is used, none of these characters poses a problem. 

Furthermore, when I authenticate with PAM against a UNIX-account, the same errors occur. This tells me that the issue is specific for the PAM module in iRODS and not LDAP.

Below a summary of my findings:

Password contains =

in rodsLog

Aug 12 09:09:00 pid:15940 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message []

[-] libpam.cpp:395:pam_auth_agent_request :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [user or ttl or password key missing]

on command line

[-]     libpam.cpp:243:pam_auth_client_request :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [call to rcAuthRequest failed.]

 failed with error -130000 SYS_INVALID_INPUT_PARAM

Password contains ; 

in rodsLog

Aug 12 09:07:25 pid:15519 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message []

[-] libpam.cpp:410:pam_auth_agent_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [pam auth check failed]

on command line

[-]     libpam.cpp:243:pam_auth_client_request :  status [PAM_AUTH_PASSWORD_FAILED]  errno [] -- message [call to rcAuthRequest failed.]

 failed with error -993000 PAM_AUTH_PASSWORD_FAILED

In my opinion it should be possible to use these special characters in passwords, especially in corporate situations where many users will login to iRODS with their Active Directory accounts.

Is this something that will be addressed in a future release? 

Best regards,

Maarten Coonen

[Ben Keller]

Thank you for reporting this. We have made an issue for this here: https://github.com/irods/irods/issues/2835 .

As reflected in the Milestone of the new github issue, the current plan is to include the fix for this in 4.1.5 

--
--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat

---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.