node-authenticate-pam crash

.gitignore

node_modules
.vagrant
*.swp

README.md

Example of pam-authenticate crash

Vagrant must be installed to use this setup. I'm using Virtualbox as the back-end.

Running vagrant up will provision the two boxes necessary for this test. One running node with an authenticate-pam example, and one running an openldap server. The node box is configured to use PAM to defer to the LDAP server for auth.

Now SSH into the node box using vagrant ssh node, cd /vagrant.

Now run the index.js file sudo node index.js. In the first commit of this project (using an older version of authenticate-pam) you'll see a segmentation fault. Now you no longer see the segfault, but the inner callback from authenticate never gets called (i.e. there's no output when running the command).

---

You shouldn't have to run this command, but if you get an error like "Auth failed -- User not known to the underlying authentication module", this command will resolve it.

sudo authconfig --enableldap --enableldapauth --ldapserver="openldap:389" --ldapbasedn="ou=People,dc=ssp-openldap" --update

add_content.ldif

dn: ou=People,dc=openldap
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=openldap
objectClass: organizationalUnit
ou: Groups

dn: cn=managers,ou=Groups,dc=openldap
objectClass: posixGroup
cn: managers
gidNumber: 5002
memberUid: john
memberUid: kim

dn: uid=john,ou=People,dc=openldap
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

dn: uid=kim,ou=People,dc=openldap
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kim
sn: Smith
givenName: Kim
cn: Kim Smith
displayName: Kim Smith
uidNumber: 10001
gidNumber: 5001
userPassword: kimldap
gecos: Kim Smith
loginShell: /bin/bash
homeDirectory: /home/kim

crashexample

auth      sufficient    pam_ldap.so try_first_pass ignore_unknown_user
auth      sufficient    pam_unix.so nullok try_first_pass
auth      requisite     pam_succeed_if.so uid >= 500 quiet
auth      required      pam_unix.so nodelay

account   required      pam_unix.so
account   required      pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account   required      pam_permit.so

index.js

var pam = require('authenticate-pam');

process.on('uncaughtException', function(err) {
  console.log('Uncaught exception: ' + err);
  console.log(err.stack);
  throw err;
});

// login with the right password 'johnldap' to see success. Login with the wrong
// password and you either get a segfault (on old authenticate-pams) or no
// callback evaluation.
pam.authenticate('john', 'wrong', function(err) {
    if(err) {
      console.log("Auth failed");
      console.log(err);
    }
    else {
      console.log("Authenticated!");
    }
}, {serviceName: 'crashexample'});

install-openldap.sh

#!/bin/bash

apt-get update

# Need to alter /etc/hosts such that slapd will infer the desired hostname.
mv /etc/hosts /etc/hosts.backup
echo "127.0.1.1       openldap.openldap	openldap" > /etc/hosts

# Set the passwords so we aren't prompted interactively
debconf-set-selections <<< 'slapd slapd/password1 password LDAPPass'
debconf-set-selections <<< 'slapd slapd/password2 password LDAPPass'
apt-get install slapd ldap-utils -y

# Restore the hostsfile.
mv /etc/hosts.backup /etc/hosts

# Populate the directory
ldapadd -x -D cn=admin,dc=openldap -f /vagrant/add_content.ldif -w "LDAPPass"

package.json

{
  "name": "pam-crash",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "authenticate-pam": "^1.0.1"
  }
}

setup.sh

mv /etc/hosts /etc/hosts.backup
echo "127.0.1.1       pam.ldap.test.com centos7-pam-ldap localhost
10.0.0.13       openldap" > /etc/hosts

# On this minimal install, we need wget
yum install wget -y

sudo systemctl disable firewalld 
sudo systemctl stop firewalld
sudo sed -i 's/enforcing/disabled/g' /etc/selinux/config



# Install and configure NTP
sudo yum -y install ntp
sudo ntpdate 0.rhel.pool.ntp.org
sudo systemctl start  ntpd.service
sudo systemctl enable ntpd.service

# Install and configure pam_ldap and nss
sudo yum -y install pam_ldap nss-pam-ldapd

sudo authconfig --enableforcelegacy --update
sudo authconfig --enableldap --enableldapauth --ldapserver="openldap:389" --ldapbasedn="ou=People,dc=openldap" --update

sudo systemctl restart nscd
sudo systemctl restart nslcd
sudo systemctl enable nscd
sudo systemctl enable nslcd

sudo cp /vagrant/crashexample /etc/pam.d/crashexample

sudo yum -y install epel-release
sudo yum -y install nodejs
sudo yum -y install npm

sudo yum -y install kernel-headers
sudo yum -y install pam-devel

( cd /vagrant && npm install )

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|

 config.vm.define 'ldap', autostart: true do |instance|
    instance.vm.box = "ubuntu-12.04.3-server-amd64"
    instance.vm.box = "ubuntu/precise64"
    instance.vm.host_name = "openldap"

    instance.vm.provision "shell", path: "install-openldap.sh"

    instance.vm.network "private_network", ip: "10.0.0.13"
  end
  config.vm.define 'node', primary: true do |instance|

    instance.vm.box = "centos7-20"
    instance.vm.box_url = "https://s3-us-west-2.amazonaws.com/rstudio-vagrant-boxes/boxes/centos7.box"

    instance.vm.host_name = "centos7-pam-ldap"
    instance.vm.provision "shell", path: "setup.sh"

    instance.vm.network :private_network, ip: "10.0.0.175"
  end
end