Re: Rejected proxy requests not making it to the client

2013-07-03 Thread Ti Leggett
Ok. I'll be firing up gdb and adding more logging. Before I did that I added a 
post_proxy detail log to see what the proxy server saw in that phase and for 
Access-Rejected packets they never get to the post_proxy section. Not sure if 
that sheds any more light on this.

Anyway, so I know where to focus my debugging, I want to make sure I understand 
how a proxied packet makes its way through the system. Is the path:

authorize - pre_proxy - post_proxy

That's how it looks from the debug logs. Do the authenticate sections ever get 
hit? Any other sections I should look into?


On Jul 2, 2013, at 3:33 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 
 On 2 Jul 2013, at 19:28, Ti Leggett legg...@mcs.anl.gov wrote:
 
 I'm not seeing a spin lock, but I'm running a 2.2.1 branch version that I 
 believe you pointed me at to fix an rlm_krb5 issue I was seeing earlier this 
 year. Is there an update for that branch or should I be moving to some other 
 version/branch?
 
 On Jul 2, 2013, at 1:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
 wrote:
 
 
 On 2 Jul 2013, at 18:51, Alan DeKok al...@deployingradius.com wrote:
 
 Ti Leggett wrote:
 I'm not sure how the script could be blocking the server after it's 
 already ran and returned the updated packet so the proxying can take 
 place which does happen:
 
 I don't know.  All I know is that the default configuration doesn't
 have child threads blocking when sending Access-Reject.
 
 The problem is due to a local change on your system.
 
 There was a bug in rlm_perl which caused it to go into an infinite loop 
 processing reply attributes. Check if radiusd is using 100% cpu, if it is, 
 upgrade.
 
 Then it's not the same issue.
 
 Break out GDB, set relevant breakpoints, and see where it's hanging, that's 
 all I can suggest.
 
 Arran Cudbard-Bell a.cudba...@freeradius.org
 FreeRADIUS Development Team
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Rejected proxy requests not making it to the client

2013-07-02 Thread Ti Leggett
I have a setup where we have three distinct OTP services, one by the 
organization and 2 specific to our group. Users can choose which service they 
want to use and this is done by membership in a netgroup (an rlm_perl script 
looks up the user to see what netgroup they belong to). We have proxy servers 
that all the clients talk to and their purpose is to determine which upstream 
OTP service to authenticate a user against and proxy the requests there. I'm 
seeing strange behavior when a user types their password incorrectly in that 
the reject never makes it all the way to the client and on the server I see the 
following on the server:

Tue Jul  2 10:39:04 2013 : Error: WARNING: Unresponsive child for request 0, in 
component core module thread
Tue Jul  2 10:39:05 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:06 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:09 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:12 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:17 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:25 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
Tue Jul  2 10:39:36 2013 : Info: WARNING: Child is hung for request 0 in 
component core module thread.
...

The upstream server does get the request, send the reject back to the proxy and 
the proxy receives the reject but doesn't seem to send the reject back to the 
client. When the user types the password successfully everything works fine - 
the client gets an OK and none of the hung request errors show up.

A debug log of one of these failed sessions is at http://pastebin.com/8n7snaBV. 
Any ideas what might be going on?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Rejected proxy requests not making it to the client

2013-07-02 Thread Ti Leggett
I'm not sure how the script could be blocking the server after it's already ran 
and returned the updated packet so the proxying can take place which does 
happen:

• rlm_perl: Changing User-Name: legg...@yubiauth.mcs.example.com
• rlm_perl: Added pair NAS-Port-Type = Virtual
• rlm_perl: Added pair Service-Type = Authenticate-Only
• rlm_perl: Added pair Auth-Type = System
• rlm_perl: Added pair Calling-Station-Id = client.mcs.example.com
• rlm_perl: Added pair User-Name = legg...@yubiauth.mcs.example.com
• rlm_perl: Added pair User-Password = 654321
• rlm_perl: Added pair NAS-Identifier = sshd
• rlm_perl: Added pair Stripped-User-Name = leggett
• rlm_perl: Added pair NAS-IP-Address = 192.168.6.203
• rlm_perl: Added pair NAS-Port = 32448
• rlm_perl: Added pair Ldap-UserDn = 
uid=leggett,ou=people,dc=mcs,dc=example,dc=com
• Cached username is legg...@yubiauth.mcs.example.com, list username 
is legg...@yubiauth.mcs.example.com
• ++[get_domain] returns updated
• [suffix] Looking up realm yubiauth.mcs.example.com for User-Name = 
legg...@yubiauth.mcs.example.com
• [suffix] Found realm yubiauth.mcs.example.com
• [suffix] Adding Stripped-User-Name = leggett
• [suffix] Adding Realm = yubiauth.mcs.example.com
• [suffix] Proxying request from user leggett to realm 
yubiauth.mcs.example.com
• [suffix] Preparing to proxy authentication request to realm 
yubiauth.mcs.example.com
• Cached username is leggett, list username is 
legg...@yubiauth.mcs.example.com
• ++[suffix] returns updated

The request packet then gets proxied off, comes back and this script is never 
called again. The same script gets called the same way on successful requests 
and this script is only called in the authorize phase. I've also tested that 
when one of the failure cases is reached (return RLM_MODULE_FAIL) that a fail 
packet is sent back to the client and no proxying ever takes place which is 
what I would expect.

The script is at http://pastebin.com/gB91jj8W.

On Jul 2, 2013, at 12:20 PM, Alan DeKok al...@deployingradius.com wrote:

 Ti Leggett wrote:
 Tue Jul  2 10:39:04 2013 : Error: WARNING: Unresponsive child for request 0, 
 in component core module thread
 
  Fix your scripts so that they don't block the server.
 
 The upstream server does get the request, send the reject back to the proxy 
 and the proxy receives the reject but doesn't seem to send the reject back 
 to the client. When the user types the password successfully everything 
 works fine - the client gets an OK and none of the hung request errors show 
 up.
 
  The default configuration doesn't have this issue.  Access-Requests
 can be proxied.  Access-Rejects can be returned through a proxy to a client.
 
 A debug log of one of these failed sessions is at 
 http://pastebin.com/8n7snaBV. Any ideas what might be going on?
 
  The debug log shows nothing interesting.
 
  The most probable issue is that your scripts are blocking the server.
 Fix that.
 
  You can verify this by configuring a test system *without* your
 scripts.  Or a test user, which bypasses the scripts.  It will work.
 
  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Rejected proxy requests not making it to the client

2013-07-02 Thread Ti Leggett
Well sure. I figured it was in my local configuration, but is there any other 
debugging I can do to help me pinpoint what may be going on since, as you said, 
from the debug logs everything looks correct? Disabling the script will give me 
a working installation but not a usable one in our environment. The default 
configuration will do the same.

Is there anyway to get more specifics about what exactly is hanging? It might 
not be the script hanging directly (obviously since it's not hanging before the 
proxy or after a successful proxy) but could be another module hanging because 
of how the script modifies the packet.

On Jul 2, 2013, at 12:51 PM, Alan DeKok al...@deployingradius.com wrote:

 Ti Leggett wrote:
 I'm not sure how the script could be blocking the server after it's already 
 ran and returned the updated packet so the proxying can take place which 
 does happen:
 
  I don't know.  All I know is that the default configuration doesn't
 have child threads blocking when sending Access-Reject.
 
  The problem is due to a local change on your system.
 
  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Rejected proxy requests not making it to the client

2013-07-02 Thread Ti Leggett
I'm not seeing a spin lock, but I'm running a 2.2.1 branch version that I 
believe you pointed me at to fix an rlm_krb5 issue I was seeing earlier this 
year. Is there an update for that branch or should I be moving to some other 
version/branch?

On Jul 2, 2013, at 1:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 
 On 2 Jul 2013, at 18:51, Alan DeKok al...@deployingradius.com wrote:
 
 Ti Leggett wrote:
 I'm not sure how the script could be blocking the server after it's already 
 ran and returned the updated packet so the proxying can take place which 
 does happen:
 
 I don't know.  All I know is that the default configuration doesn't
 have child threads blocking when sending Access-Reject.
 
 The problem is due to a local change on your system.
 
 There was a bug in rlm_perl which caused it to go into an infinite loop 
 processing reply attributes. Check if radiusd is using 100% cpu, if it is, 
 upgrade.
 
 Arran Cudbard-Bell a.cudba...@freeradius.org
 FreeRADIUS Development Team
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


rlm_perl changing User-Name and proxy requests

2013-01-11 Thread Ti Leggett
I have an issue with rlm_perl changing the request User-Name attribute but the 
proxy request not honoring it. First I'll describe what I'm trying to 
accomplish and why and then what I'm doing. I'm running a branch of 2.2.1 that 
has some krb5 realm fixes in it.

I have multiple realms that users can authenticate against: our division has 
replayable password (handled by kerberos) and one time passwords (handled by 
both YubiKeys and Crypto Card), our lab has replayable passwords (handled by 
AD) and a separate one time password system (handled by Crypto Card). For 
services that we want to allow replayable passwords (like IMAP access for 
instance), we want to allow the user to choose which service to use (division 
or lab). For services requiring OTP we want the user to choose which OTP token 
they want to use (some people have multiple because of external requirements). 
We want users to be able to change these auth preferences on their own and not 
have this require changing the RADIUS configuration (a.k.a., the users file) to 
do this. Our account information is kept in LDAP.

This is all well and good except that usernames between the division and the 
lab aren't guaranteed to match - User A might have lastname as their division 
name, but lastnamefirst as their lab username. For the kerberos and AD request 
the RADIUS server can handle the request directly using rlm_krb5, but for all 
the OTP requests the server must proxy to the correct OTP server to handle the 
request.

Here's my plan for accomplishing this.

During authorization, rlm_ldap is used to make sure if the user is in LDAP. If 
not the request is rejected outright (this should help with brute force 
attempts bogging down all the servers for bogus attempts). Next an rlm_perl 
module is called to get the user's preferred realm and what username to use in 
that realm from LDAP. An example would be leggett@ yubi.division.example.com 
(signifying that I want to use YubiKey from my division). The rlm_perl module 
updates the request User-Name to be this preference and Auth-Type to be System 
(see http://pastie.org/5670077). Lastly rlm_realm checks the request to 
determine if it should be proxied or not. The problem is this: Everything works 
if the username doesn't change. For instance, if I'm 
legg...@yubi.division.example.com and legg...@crypto.example.com, things work. 
The User-Name change being done by rlm_perl is being recognized by rlm_realm 
and rlm_realm is routing to the proper realm; however, rlm_realm seems to want 
to clobbe!
 r User-Name in its own way, so that by the time proxying happens User-Name is 
set to whatever the initial username was - if I started the process as leggett 
and wanted my username to eventually be ti.legg...@crypto.example.com, by the 
time it reaches the proxy phase my User-Name attribute has been reset back to 
leggett even if I rerun the rlm_perl module after rlm_realm (see 
http://pastie.org/5670076)

I notice that rlm_suffix doesn't overwrite the Stripped-User-Name rlm_perl 
adds, but appends another entry. This is fine for my purposes since the 
rlm_perl one is added first subsequent calls use that value. I'm afraid the 
same is happening with User-Name in that rlm_perl is appending another entry 
instead of overwriting the ones there.

So is there any way around this or am I completely insane with this approach?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread Ti Leggett

On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 [snip]
 
 Yeah it'll just bog down your LDAP server instead. You should use rlm_cache 
 to cache the result of the LDAP lookup (once you have all this working)*.
 
 Have you added nostrip for all the realms? The only way I can see it 
 clobbering username is if stripping is enabled.

So that was my first thought too. However, I have limited visibility into the 
remote lab crypto server and when I sent a request to with a realm included, it 
flat out dropped the request. Didn't reply at all. So I need the realm to so 
the proxy portion can hit the right destination, but I need the User-Name 
stripped so the remote server can understand it.

 -Arran
 
 PS: You know you want to test the threaded version of the updated rlm_krb5 
 module :)

I do! Once I get this configuration working I'll be happy to try it. One of my 
todos for this whole config revamp is to stress test the environment against a 
brute force attack (we get them frequently). Then I'll have some before numbers 
to compare with the after.

 
 * Only use the rlm_cache module from 2.2.1
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread Ti Leggett

On Jan 11, 2013, at 2:35 PM, a.l.m.bu...@lboro.ac.uk wrote:

 hi,
 
 dont play with User-Name, update/modify Stripped-User-Name instead and use 
 that in the
 authn/authz stages

How do I get the remote servers I'm proxying for to understand 
Stripped-User-Name. As far as I can tell Stripped-User-Name isn't even in the 
Access-Request to the proxyied server.

 alan
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: rlm_perl changing User-Name and proxy requests

2013-01-11 Thread Ti Leggett

On Jan 11, 2013, at 3:21 PM, Arran Cudbard-Bell a.cudba...@freeradius.org 
wrote:

 @leggett
 
 If you don't mind rebuilding the server, could you change:
 
 https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/src/main/modcall.c#L686
 
 And add:
 
 RDEBUG(Cached username is \%s\, list username is \%s\, 
 request-username-vp_strvalue, pairfind(request-packet-vps, 
 PW_USER_NAME)-vp_strvalue);
 
 Just after modcall_single()
 
 Run it in debug mode and you'll see exactly where the username isn't being 
 updated. List username and cached username should always be in sync up until 
 the call to suffix, at which point the cached username should be stripped of 
 the realm.

Ok. I'm flumoxed:

+- entering group pre-proxy {...}
[pre_proxy_log] expand: 
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d - 
/var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111
[pre_proxy_log] 
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to 
/var/log/radius/radacct/192.168.1.1/pre-proxy-detail-20130111
[pre_proxy_log] expand: %t - Fri Jan 11 15:38:05 2013
Cached username is ti.leggett, list username is 
ti.legg...@crypto.example.com
++[pre_proxy_log] returns ok
Sending Access-Request of id 217 to 192.168.1.2 port 1812
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = host.division.example.com
User-Name = leggett
User-Password = password
NAS-Identifier = sshd
NAS-IP-Address = 192.168.1.1
NAS-Port = 9975
Proxy-State = 0x3831

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html