Re: Sudo no longer working with RADIUS logins after upgrade to 5.4

Wed, 06 Nov 2013 12:56:24 -0800 

On 11/06/13 20:47, Andrew Klettke wrote:

Hey man, hope you're doing well.

The new version of sudo definitely breaks radius support somehow.

Old binary on newly-upgraded server, calling "login_radius" as expected:

32409 sudo     CALL  lstat(0xcfbda248,0xcfbd9fe0)
   32409 sudo     NAMI  "/usr/libexec/auth/login_radius"
   32409 sudo     STRU  struct stat { dev=1030, ino=1559049,
mode=-r-xr-sr-x , nlink=1, uid=0, gid=63, rdev=6221688,
atime=1383766914.276995603, mtime=1375206816,
ctime=1383763312.710865788, size=14768, blocks=32, blksize=16384,
flags=0x0, gen=0x79206db9 }
   32409 sudo     RET   lstat 0
   32409 sudo     CALL socketpair(PF_LOCAL,SOCK_STREAM,0,0xcfbda1cc)
   32409 sudo     RET   socketpair 0
   32409 sudo     CALL  fork()
   32409 sudo     RET   fork 4137/0x1029
   32409 sudo     CALL  close(0x5)
   32409 sudo     RET   close 0
   32409 sudo     CALL  sigprocmask(SIG_BLOCK,~0<>)
   32409 sudo     RET   sigprocmask 0<>
   32409 sudo     CALL mprotect(0x2cff2000,0x2000,0x3<PROT_READ|PROT_WRITE>)
   32409 sudo     RET   mprotect 0
   32409 sudo     CALL mprotect(0x2cff2000,0x2000,0x1<PROT_READ>)
   32409 sudo     RET   mprotect 0
   32409 sudo     CALL  sigprocmask(SIG_SETMASK,0<>)
   32409 sudo     RET   sigprocmask ~0x10100<SIGKILL|SIGSTOP>
   32409 sudo     CALL  write(0x3,0x89efdeac,0x1)
   32409 sudo     GIO   fd 3 wrote 1 bytes
         "\0"
   32409 sudo     RET   write 1
   32409 sudo     CALL  write(0x3,0x819f6a4c,0xa)
   32409 sudo     GIO   fd 3 wrote 10 bytes
         "********\0"
   32409 sudo     RET   write 10/0xa
   32409 sudo     CALL  read(0x3,0x7ec6b034,0x2000)
   32409 sudo     GIO   fd 3 read 10 bytes
         "authorize
         "


New binary on newly-upgraded server, no longer calling "login_radius":

31629 sudo     CALL  lstat(0xcfbfc908,0xcfbfc6a0)
   31629 sudo     NAMI  "/usr/libexec/auth/login_passwd"
   31629 sudo     STRU  struct stat { dev=1030, ino=1559048,
mode=-r-sr-xr-x , nlink=1, uid=0, gid=11, rdev=6233224,
atime=1383766539.484583023, mtime=1375206816,
ctime=1383763312.710865788, size=10256, blocks=24, blksize=16384,
flags=0x0, gen=0xa0c01eca }
   31629 sudo     RET   lstat 0
   31629 sudo     CALL socketpair(PF_LOCAL,SOCK_STREAM,0,0xcfbfc88c)
   31629 sudo     RET   socketpair 0
   31629 sudo     CALL  fork()
   31629 sudo     RET   fork 23258/0x5ada
   31629 sudo     CALL  close(0x5)
   31629 sudo     RET   close 0
   31629 sudo     CALL  sigprocmask(SIG_BLOCK,~0<>)
   31629 sudo     RET   sigprocmask 0<>
   31629 sudo     CALL mprotect(0x2c105000,0x2000,0x3<PROT_READ|PROT_WRITE>)
   31629 sudo     RET   mprotect 0
   31629 sudo     CALL mprotect(0x2c105000,0x2000,0x1<PROT_READ>)
   31629 sudo     RET   mprotect 0
   31629 sudo     CALL  sigprocmask(SIG_SETMASK,0<>)
   31629 sudo     RET   sigprocmask ~0x10100<SIGKILL|SIGSTOP>
   31629 sudo     CALL  write(0x3,0x7e83d5bc,0x1)
   31629 sudo     GIO   fd 3 wrote 1 bytes
         "\0"
   31629 sudo     RET   write 1
   31629 sudo     CALL  write(0x3,0x8a96d20c,0xa)
   31629 sudo     GIO   fd 3 wrote 10 bytes
         "*******\0"
   31629 sudo     RET   write 10/0xa
   31629 sudo     CALL  read(0x3,0x8a2d6034,0x2000)
   31629 sudo     GIO   fd 3 read 7 bytes
         "reject
         "


What happens if you specifically request radius authentication, e.g.

$ sudo -a radius whoami

?

/Alexander




Thanks,

Andrew Klettke
Systems Admin
Optic Fusion

On 11/06/2013 11:28 AM, Bryan Irvine wrote:

Now, that's interesting.  ktrace that sucker.


On Wed, Nov 6, 2013 at 11:22 AM, Andrew Klettke
<aklet...@opticfusion.net <mailto:aklet...@opticfusion.net>> wrote:

     Should also add that a /usr/bin/sudo binary copied over from a 5.3
     machine works as expected.


     Thanks,

     Andrew Klettke
     Systems Admin
     Optic Fusion

     On 11/06/2013 11:17 AM, Andrew Klettke wrote:

         We're seeing a strange issue where logging into a
         newly-upgraded 5.4 machine with a RADIUS login works fine, but
         when trying to use sudo to execute commands, I get "incorrect
         password attempts" in /var/log/secure. Transcript of this
         (server name censored to "foo", user censored to "user"), log
         messages, and dmesg follow, any help or insight would be very
         much appreciated. Sudo worked perfectly fine with this same
         user before the upgrade:

         $ ssh foo
         user@foo's password:
         Last login: Wed Nov  6 11:04:55 2013 from ********.*******.net
         OpenBSD 5.4 (GENERIC.MP <http://GENERIC.MP>) #44: Tue Jul 30
         12:13:32 MDT 2013

         Welcome to OpenBSD: The proactively secure Unix-like operating
         system.

         Please use the sendbug(1) utility to report bugs in the system.
         Before reporting a bug, please try to reproduce it with the latest
         version of the code.  With bug reports, please try to ensure that
         enough information to reproduce the problem is enclosed, and if a
         known fix for it exists, include that as well.

         [foo:~]$ sudo whoami

         We trust you have received the usual lecture from the local System
         Administrator. It usually boils down to these three things:

             #1) Respect the privacy of others.
             #2) Think before you type.
             #3) With great power comes great responsibility.

         Password:
         Where did you learn to type?
         Password:
         My pet ferret can type better than you!
         Password:
         Do you think like you type?
         sudo: 3 incorrect password attempts
         [foo:~]$



         From /var/log/secure:
         Nov  6 11:11:11 foo sudo: user : 3 incorrect password attempts
         ; TTY=ttyp1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/whoami

         Dmesg:
         OpenBSD 5.4 (GENERIC.MP <http://GENERIC.MP>) #44: Tue Jul 30
         12:13:32 MDT 2013
         dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
         <http://GENERIC.MP>
         cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
         686-class) 1.61 GHz
         cpu0:
         
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
         real mem  = 2138222592 <tel:2138222592> (2039MB)
         avail mem = 2091827200 (1994MB)
         mainbus0 at root
         bios0 at mainbus0: AT/286+ BIOS, date 07/10/09, BIOS32 rev. 0
         @ 0xf0010, SMBIOS rev. 2.5 @ 0xfd170 (27 entries)
         bios0: vendor American Megatrends Inc. version "1.0a" date
         07/10/2009
         bios0: Supermicro X7SLA
         acpi0 at bios0: rev 2
         acpi0: sleep states S0 S1 S3 S4 S5
         acpi0: tables DSDT FACP APIC MCFG SLIC OEMB
         acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4)
         EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4)
         LAN0(S1) P0P9(S4) LAN1(S1) USB0(S4) USB1(S4) [...]
         acpitimer0 at acpi0: 3579545 Hz, 24 bits
         acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
         cpu0 at mainbus0: apid 0 (boot processor)
         cpu0: apic clock running at 133MHz
         cpu1 at mainbus0: apid 2 (application processor)
         cpu1: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
         686-class) 1.61 GHz
         cpu1:
         
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
         cpu2 at mainbus0: apid 1 (application processor)
         cpu2: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
         686-class) 1.61 GHz
         cpu2:
         
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
         cpu3 at mainbus0: apid 3 (application processor)
         cpu3: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel"
         686-class) 1.61 GHz
         cpu3:
         
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF
         ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
         ioapic0: misconfigured as apic 1, remapped to apid 4
         acpimcfg0 at acpi0 addr 0xf0000000, bus 0-63
         acpiprt0 at acpi0: bus 0 (PCI0)
         acpiprt1 at acpi0: bus -1 (P0P2)
         acpiprt2 at acpi0: bus 4 (P0P1)
         acpiprt3 at acpi0: bus 1 (P0P4)
         acpiprt4 at acpi0: bus -1 (P0P5)
         acpiprt5 at acpi0: bus -1 (P0P6)
         acpiprt6 at acpi0: bus -1 (P0P7)
         acpiprt7 at acpi0: bus 2 (P0P8)
         acpiprt8 at acpi0: bus 3 (P0P9)
         acpicpu0 at acpi0
         acpicpu1 at acpi0
         acpicpu2 at acpi0
         acpicpu3 at acpi0
         acpibtn0 at acpi0: SLPB
         acpibtn1 at acpi0: PWRB
         bios0: ROM list: 0xc0000/0xaa00!
         pci0 at mainbus0 bus 0: configuration mode 1 (bios)
         pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
         vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
         intagp0 at vga1
         agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
         inteldrm0 at vga1
         drm0 at inteldrm0
         error: [drm:pid0:drm_edid_block_valid] *ERROR* EDID checksum
         is invalid, remainder is 130
         Raw EDID:

         00 ff ff ff ff ff ff 00  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff
         inteldrm0: 1024x768
         wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
         wsdisplay0: screen 1-5 added (std, vt100 emulation)
         ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01:
         apic 4 int 16
         pci1 at ppb0 bus 1
         ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01:
         apic 4 int 16
         pci2 at ppb1 bus 2
         re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x02:
         RTL8168C/8111C (0x3c00), apic 4 int 16, address 00:30:48:9f:31:60
         rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
         ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01:
         apic 4 int 17
         pci3 at ppb2 bus 3
         re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x02:
         RTL8168C/8111C (0x3c00), apic 4 int 17, address 00:30:48:9f:31:61
         rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2
         uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01:
         apic 4 int 23
         uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01:
         apic 4 int 19
         uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01:
         apic 4 int 18
         uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01:
         apic 4 int 16
         ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01:
         apic 4 int 23
         usb0 at ehci0: USB revision 2.0
         uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
         ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
         pci4 at ppb3 bus 4
         ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev
         0x01: PM disabled
         pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev
         0x01: DMA, channel 0 configured to compatibility, channel 1
         configured to compatibility
         pciide0: channel 0 disabled (no drives)
         pciide0: channel 1 disabled (no drives)
         ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01:
         msi, AHCI 1.1
         scsibus0 at ahci0: 32 targets
         sd0 at scsibus0 targ 0 lun 0: <ATA, ST980210AS, 3.AL
         <http://3.AL>> SCSI3 0/direct fixed t10.ATA_ST980210AS_5QY0TPVG
         sd0: 76319MB, 512 bytes/sector, 156301488 sectors
         sd1 at scsibus0 targ 1 lun 0: <ATA, ST980210AS, 3.AL
         <http://3.AL>> SCSI3 0/direct fixed t10.ATA_ST980210AS_5QY0T9BK
         sd1: 76319MB, 512 bytes/sector, 156301488 sectors
         ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev
         0x01: apic 4 int 19
         iic0 at ichiic0
         lm1 at iic0 addr 0x2d: W83627DHG
         spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
         spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-6400CL5
         usb1 at uhci0: USB revision 1.0
         uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
         usb2 at uhci1: USB revision 1.0
         uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
         usb3 at uhci2: USB revision 1.0
         uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
         usb4 at uhci3: USB revision 1.0
         uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
         isa0 at ichpcib0
         isadma0 at isa0
         com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
         com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
         pckbc0 at isa0 port 0x60/5
         pckbd0 at pckbc0 (kbd slot)
         pckbc0: using irq 1 for kbd slot
         wskbd0 at pckbd0: console keyboard, using wsdisplay0
         pms0 at pckbc0 (aux slot)
         pckbc0: using irq 12 for aux slot
         wsmouse0 at pms0 mux 0
         pcppi0 at isa0 port 0x61
         spkr0 at pcppi0
         wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
         lm2 at wbsio0 port 0x290/8: W83627DHG
         npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
         mtrr: Pentium Pro MTRR support
         lm1: disabling sensors due to alias with lm2
         uhub5 at uhub0 port 1 "Standard Microsystems product 0x2507"
         rev 2.00/0.00 addr 2
         uftdi0 at uhub5 port 1 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 3
         ucom0 at uftdi0 portno 1
         uftdi1 at uhub5 port 1 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 3
         ucom1 at uftdi1 portno 2
         uftdi2 at uhub5 port 2 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 4
         ucom2 at uftdi2 portno 1
         uftdi3 at uhub5 port 2 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 4
         ucom3 at uftdi3 portno 2
         uftdi4 at uhub5 port 3 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 5
         ucom4 at uftdi4 portno 1
         uftdi5 at uhub5 port 3 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 5
         ucom5 at uftdi5 portno 2
         uftdi6 at uhub5 port 4 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 6
         ucom6 at uftdi6 portno 1
         uftdi7 at uhub5 port 4 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 6
         ucom7 at uftdi7 portno 2
         uftdi8 at uhub5 port 5 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 7
         ucom8 at uftdi8 portno 1
         uftdi9 at uhub5 port 5 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 7
         ucom9 at uftdi9 portno 2
         uftdi10 at uhub5 port 6 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 8
         ucom10 at uftdi10 portno 1
         uftdi11 at uhub5 port 6 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 8
         ucom11 at uftdi11 portno 2
         uhub6 at uhub5 port 7 "Genesys Logic GL650 Hub" rev 1.10/3.05
         addr 9
         uftdi12 at uhub6 port 1 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 10
         ucom12 at uftdi12 portno 1
         uftdi13 at uhub6 port 1 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 10
         ucom13 at uftdi13 portno 2
         uftdi14 at uhub6 port 2 configuration 1 interface 0 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 11
         ucom14 at uftdi14 portno 1
         uftdi15 at uhub6 port 2 configuration 1 interface 1 "FTDI USB
         FAST SERIAL ADAPTER" rev 2.00/5.00 addr 11
         ucom15 at uftdi15 portno 2
         vscsi0 at root
         scsibus1 at vscsi0: 256 targets
         softraid0 at root
         scsibus2 at softraid0: 256 targets
         root on sd0a swap on sd0b dump on sd0b

Reply via email to