[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Bryan Stansell bryan@conserver.com
Thu, 5 Dec 2013 17:02:38 GMT
I think you've stumbled into new territory (one-time passwords and conserver). The problem is that there are multiple conserver processes - one "master" and multiple "console" instances. When the client logs into a console, it first talks to the master, asks what process is managing that console, then goes to that other process and asks for access. There are things you can do with the master process (like telling it to reload the config) so the client has to authenticate there to protect the information and functionality. And, of course, it needs to log in to the console. And if you have a multi-master setup, one master redirects you to another master which then redirects you to...you get the idea. Without a "global" authentication scheme, I'm not sure how to make it happen (which is yet another layer of "trust" that would require setup, maintenance, etc). But if there's a good API (maybe even platform-specific?) that already exists to mitigate that, I'd love to hear about it. As it stands, the conserver code has nothing available but making authentication checks when each process gets a connection. Bryan On Dec 5, 2013, at 5:17 AM, Matthew Gyurgyik <gyurgyikms@ornl.gov> wrote: > Hello. > > When attempting use pam with conserver, I noticed that conserver was sending multiple authentications to PAM. As our security policy mandates one-time authentication tokens (rsa), multiple authentications using the same password fail. > > Poking around in the code I identified 4 places where CheckPasswd() is called. > > master.c:464 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) > master.c:568 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) > group.c:3389 (CheckPasswd(pCLServing, pCLServing->accmd->string, FLAGFALSE) != AUTH_SUCCESS) > group.c:3495 (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) > > When connecting from a remote client, it seems the authentication code in master.c is called and then the authentication code in group.c is called. > > Would it be possible to call CheckPasswd() once, store the result in a global variable, and then pass that global variable to each of the conditional statements? > > Additionally, it would appear that the if statement (CheckPasswd(pCLServing, "", FLAGTRUE) == AUTH_SUCCESS) at master.c:568 and group.c:3495 will never evaluate true. As I understand the code, the second variable passed into CheckPasswd should be the user password and in this case, this is blank. The CheckPasswd function doesn't do anything special with a blank password. > > My c knowledge in nearly non-existent and therefore my grasp of the authentication code is poor. I don't know the difference between master.c and group.c and why authentication is happening in both master.c and group.c. > > Thank you, > Matthew Gyurgyik > > > > > > -- > Matthew Gyurgyik > HPC System Administrator > National Center for Computational Sciences > Oak Ridge National Laboratory > 865-576-7099 > > _______________________________________________ > users mailing list > users@conserver.com > https://www.conserver.com/mailman/listinfo/users