ocserv pam groups are limited to 32
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ocserv (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
pam_auth group selection issue with more than 32 groups membership
We have got an issue with group selection when an account has more than 32 connected linux groups with it. User with memberships 33 and more groups successfully authenticate but pass to a default group with no custom routes. I guess, so it's an pam module issue, but have no idea how to fix it.
----config file ----
/etc/ocserv/
auth = "pam[gid-
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.
tls-priorities = "NORMAL:
auth-timeout = 40
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
cookie-rekey-time = 14400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = false
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
compression = true
ipv4-network = 10.130.136.0/24
ping-leases = false
#restrict-
append-
select-group = SA
select-group = Users
auto-select-group = false
config-per-user = /etc/ocserv/
config-per-group = /etc/ocserv/
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat = true
---pam module---
/etc/pam.d/ocserv
#%PAM-1.0
auth sufficient pam_ldap.so debug
account sufficient pam_ldap.so debug
password sufficient pam_ldap.so debug
---affected user---
Please enter your username.
Username:******
POST https:/
> POST /auth HTTP/1.1
> Host: ***********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-
> X-Aggregate-Auth: 1
> X-AnyConnect-
> X-Support-
> X-Pad: 000000000000000
> Content-Type: application/
> Content-Length: 234
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=
Content-Type: text/xml
Content-Length: 310
X-Transcend-
HTTP body length: (310)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-
< <version who="sg"
< <auth id="main">
< <message>Please enter your password.</message>
< <form method="post" action="/auth">
< <input type="password" name="password" label="Password:" />
< </form></auth>
< </config-auth>
Please enter your password.
Password:
POST https:/
> POST /auth HTTP/1.1
> Host: *********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpncontext=
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-
> X-Aggregate-Auth: 1
> X-AnyConnect-
> X-Support-
> X-Pad: 000000000000000
> Content-Type: application/
> Content-Length: 209
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-
Set-Cookie: webvpncontext=
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=
HTTP body length: (189)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="complete">
< <version who="sg"
< <auth id="success">
< <title>SSL VPN Service<
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: ***************
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpn=
> X-CSTP-Version: 1
> X-CSTP-Hostname: box3
> X-CSTP-
> X-CSTP-MTU: 1406
> X-CSTP-
> X-CSTP-
> X-DTLS-
> X-DTLS-CipherSuite: OC-DTLS1_
> X-DTLS-
>
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.10.11
X-CSTP-DPD: 90
X-CSTP-
X-CSTP-Base-MTU: 1355
X-CSTP-Address: 10.130.136.29
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-
X-CSTP-Keepalive: 32400
X-CSTP-
X-CSTP-
X-CSTP-Rekey-Time: 172813
X-CSTP-
X-CSTP-
X-CSTP-
X-CSTP-Keep: true
X-CSTP-
X-CSTP-License: accept
X-DTLS-Session-ID: afe8f4769e3a279
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172823
X-DTLS-
X-DTLS-Keepalive: 32400
X-DTLS-CipherSuite: OC-DTLS1_
X-DTLS-MTU: 1289
X-CSTP-MTU: 1289
X-DTLS-
X-CSTP-
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)
DTLS option X-DTLS-Session-ID : afe8f4769e3a279
DTLS option X-DTLS-DPD : 90
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172823
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 32400
DTLS option X-DTLS-CipherSuite : OC-DTLS1_
DTLS option X-DTLS-MTU : 1289
DTLS option X-DTLS-
DTLS initialised. DPD 90, Keepalive 32400
Connected tun0 as 10.130.136.29, using SSL + lz4
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.
Resolution:
There is a definition in sec-mod.h which limits MAX_GROUPS to 32.
Please, recreate package with #define MAX_GROUPS 65535
This is being discussed on the upstream at [0]. A maximum of 65535 doesn't make sense because (1) how could a user chose from such a high number, and (2) it requires a server change as the memory used will be excessive.
[0]. https:/ /gitlab. com/openconnect /ocserv/ -/issues/ 219