[Touch-packages] [Bug 1657897] Re: Failure to report rhosts
Yes that is the correct issue occurring effectively pam never sees the rhost data from sendmail which can be seen in the auth log. Jan 25 16:56:12 uvt-yakkety saslauthd[3020]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=powersj I did some more investigating into this issue. From what I can tell the saslauthd client never sends the rhost to the saslauthd process and it isn't supported in the client/server protocol. So this is somewhat of a problem because of the design of the protocol and maintaining backwards compatibility with existing clients. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1657897 Title: Failure to report rhosts Status in cyrus-sasl2 package in Ubuntu: Incomplete Bug description: When using sasl2-bin and saslauthd it will fail to work correctly with pam. The first major problem is that that it will fail to report the rhost address in the log which means auth failures cannot be policed and no useful data (the ip address) is reported to the log file. Example below during a password brute force attempt. Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): check pass; user unknown Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= The other issue is that it would be great to be able to ip restrict logins based on pam module configuration. Based on previous reading and as far as I can tell the remote ip address is not supported between the imap/pop/smtp process and sasl2 is it possible to add support for this? Technically this is a long standing security issue because fail2ban cannot be used to process the syslog file and auto block the host during brute force password attempts. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1657897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1657897] Re: Failure to report rhosts
Hi, Thanks for the reply. First of I will say that everything to reproduce this is a default configuration for saslauthd. You simply have to install it. The next part would be to install any of the other default like imapd(no configuration required) or sendmail(which does need configured). Or any other client that is capable of using saslauthd Mayby this isn't understood well or I have come across badly. The problem here in ubuntu is that the saslauthd version in ubuntu doesn't support passing the rhost (the remote ip address) from its front end service to the pam authentication lib's at all. This make logging, blocking of remote ip addresses which are constantly trying usernames / passwords on mail servers via smtp, pop3, imap impossible to monitor, log and block as pam.d authfailure will fail to log any actionable information. Here is more information on the same bug from redhat. https://bugzilla.redhat.com/show_bug.cgi?id=683797 The 2nd issue isn't so much of a feature request as it is actually the same functionality. You cannot have a pam module installed/configured in the system which can lookup say a dns blacklist or database of blocked ip addresses and block access though stand pam configuration that saslauthd uses by default. This makes all pam authentication configuration / logging based on the back of saslauthd that involves an ip address useless / redundant / non functional. This isn't a new problem with saslauthd its just never been fixed.. It dates back to 2011. Across multiple systems and use this package. https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2011-March/002218.html ** Bug watch added: Red Hat Bugzilla #683797 https://bugzilla.redhat.com/show_bug.cgi?id=683797 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1657897 Title: Failure to report rhosts Status in cyrus-sasl2 package in Ubuntu: Incomplete Bug description: When using sasl2-bin and saslauthd it will fail to work correctly with pam. The first major problem is that that it will fail to report the rhost address in the log which means auth failures cannot be policed and no useful data (the ip address) is reported to the log file. Example below during a password brute force attempt. Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): check pass; user unknown Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= The other issue is that it would be great to be able to ip restrict logins based on pam module configuration. Based on previous reading and as far as I can tell the remote ip address is not supported between the imap/pop/smtp process and sasl2 is it possible to add support for this? Technically this is a long standing security issue because fail2ban cannot be used to process the syslog file and auto block the host during brute force password attempts. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1657897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1657897] [NEW] Failure to report rhosts
Public bug reported: When using sasl2-bin and saslauthd it will fail to work correctly with pam. The first major problem is that that it will fail to report the rhost address in the log which means auth failures cannot be policed and no useful data (the ip address) is reported to the log file. Example below during a password brute force attempt. Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): check pass; user unknown Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= The other issue is that it would be great to be able to ip restrict logins based on pam module configuration. Based on previous reading and as far as I can tell the remote ip address is not supported between the imap/pop/smtp process and sasl2 is it possible to add support for this? Technically this is a long standing security issue because fail2ban cannot be used to process the syslog file and auto block the host during brute force password attempts. ** Affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Status: New ** Tags: auth imap pam pop3 saslauthd sendmail -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1657897 Title: Failure to report rhosts Status in cyrus-sasl2 package in Ubuntu: New Bug description: When using sasl2-bin and saslauthd it will fail to work correctly with pam. The first major problem is that that it will fail to report the rhost address in the log which means auth failures cannot be policed and no useful data (the ip address) is reported to the log file. Example below during a password brute force attempt. Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): check pass; user unknown Jan 19 21:57:16 mail saslauthd[1534]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= The other issue is that it would be great to be able to ip restrict logins based on pam module configuration. Based on previous reading and as far as I can tell the remote ip address is not supported between the imap/pop/smtp process and sasl2 is it possible to add support for this? Technically this is a long standing security issue because fail2ban cannot be used to process the syslog file and auto block the host during brute force password attempts. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1657897/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1577926] Re: apt-key works fine, yet apt fails with "Could not execute 'apt-key'"
I can confirm that I had the same problem with the kernel. This was due to it being a vm in a xen environment which was booting from the host kernel which was why it was not upgraded. After upgrading the kernel and apt to the most recent version all is working normally again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1577926 Title: apt-key works fine, yet apt fails with "Could not execute 'apt-key'" Status in apt package in Ubuntu: Confirmed Bug description: Apt can fail to verify a Release file which verifies just fine when calling apt-key directly. Please advise how i can supply further debug information to help fix the underlying bug. Expected: apt-get should only report that a repository is not signed when no such signature was found. If a signature was in fact successfully acquired but not verified, apt-get should report failure to verify instead. apt-get should have a meaningful error message when calling apt-key fails. Bonus: Calling apt-key should not fail when the same thing works fine on command line. A reference to "Debug::Acquire::gpgv" should be in apt-secure(8) documentation. Observed: # uname -a Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux # chroot reproducable $ uname -a Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 armv7l armv7l armv7l GNU/Linux $ lsb_release -a 2>/dev/null Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial $ apt-get -o "Debug::Acquire::gpgv=true" update Get:1 http://ports.ubuntu.com xenial-security InRelease [92.2 kB] 0% [1 InRelease gpgv 92.2 kB]igners Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c gpgv exited with status 111 Summary: Good: Bad: Worthless: SoonWorthless: NoPubKey: Ign:1 http://ports.ubuntu.com xenial-security InRelease Fetched 92.2 kB in 1s (79.5 kB/s) Reading package lists... Done W: GPG error: http://ports.ubuntu.com xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://ports.ubuntu.com xenial-security InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. $ /usr/bin/apt-key --quiet --readonly verify --status-fd /dev/stderr /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c gpgv: Signature made Tue May 3 19:02:17 2016 UTC using DSA key ID 437D05B5 [GNUPG:] SIG_ID e53PXRjA/EMb7CuZJtAicvvUm60 2016-05-03 1462302137 [GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key gpgv: Good signature from "Ubuntu Archive Automatic Signing Key " [GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2016-05-03 1462302137 0 4 0 17 10 01 630239CC130E1A7FD81A27B140976EAF437D05B5 gpgv: Signature made Tue May 3 19:02:17 2016 UTC using RSA key ID C0B21F32 [GNUPG:] SIG_ID kCsrLo9VUm7YcYhhqQUw2fbWoY4 2016-05-03 1462302137 [GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) " [GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2016-05-03 1462302137 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1577926] Re: apt-key works fine, yet apt fails with "Could not execute 'apt-key'"
What I think that might be useful is being able to get a list of open file descriptors of the process and the point of the execve is being called. I suspect that its failing because it doesn't have access to something so it get an EPERM The only reference to execve failing in the man page is because of setuid and a file system being mounted nosuid Unless somebody wants to read the kernel code and figure out why execve can return EPERM -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1577926 Title: apt-key works fine, yet apt fails with "Could not execute 'apt-key'" Status in apt package in Ubuntu: Confirmed Bug description: Apt can fail to verify a Release file which verifies just fine when calling apt-key directly. Please advise how i can supply further debug information to help fix the underlying bug. Expected: apt-get should only report that a repository is not signed when no such signature was found. If a signature was in fact successfully acquired but not verified, apt-get should report failure to verify instead. apt-get should have a meaningful error message when calling apt-key fails. Bonus: Calling apt-key should not fail when the same thing works fine on command line. A reference to "Debug::Acquire::gpgv" should be in apt-secure(8) documentation. Observed: # uname -a Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux # chroot reproducable $ uname -a Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 armv7l armv7l armv7l GNU/Linux $ lsb_release -a 2>/dev/null Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial $ apt-get -o "Debug::Acquire::gpgv=true" update Get:1 http://ports.ubuntu.com xenial-security InRelease [92.2 kB] 0% [1 InRelease gpgv 92.2 kB]igners Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c gpgv exited with status 111 Summary: Good: Bad: Worthless: SoonWorthless: NoPubKey: Ign:1 http://ports.ubuntu.com xenial-security InRelease Fetched 92.2 kB in 1s (79.5 kB/s) Reading package lists... Done W: GPG error: http://ports.ubuntu.com xenial-security InRelease: Could not execute 'apt-key' to verify signature (is gnupg installed?) W: The repository 'http://ports.ubuntu.com xenial-security InRelease' is not signed. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. $ /usr/bin/apt-key --quiet --readonly verify --status-fd /dev/stderr /tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c gpgv: Signature made Tue May 3 19:02:17 2016 UTC using DSA key ID 437D05B5 [GNUPG:] SIG_ID e53PXRjA/EMb7CuZJtAicvvUm60 2016-05-03 1462302137 [GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key gpgv: Good signature from "Ubuntu Archive Automatic Signing Key " [GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2016-05-03 1462302137 0 4 0 17 10 01 630239CC130E1A7FD81A27B140976EAF437D05B5 gpgv: Signature made Tue May 3 19:02:17 2016 UTC using RSA key ID C0B21F32 [GNUPG:] SIG_ID kCsrLo9VUm7YcYhhqQUw2fbWoY4 2016-05-03 1462302137 [GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012) gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) " [GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2016-05-03 1462302137 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
