Ubuntu
ocserv package

ocserv pam groups are limited to 32

Bug #1840241 reported by Andrey Markovskiy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ocserv (Ubuntu)
New
Undecided
Unassigned

Bug Description

pam_auth group selection issue with more than 32 groups membership
We have got an issue with group selection when an account has more than 32 connected linux groups with it. User with memberships 33 and more groups successfully authenticate but pass to a default group with no custom routes. I guess, so it's an pam module issue, but have no idea how to fix it.

----config file ----
/etc/ocserv/ocserv.conf
auth = "pam[gid-min=10000]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
cookie-rekey-time = 14400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = false
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
compression = true

ipv4-network = 10.130.136.0/24

ping-leases = false
#restrict-user-to-routes = true
append-global-routes = false

select-group = SA
select-group = Users
auto-select-group = false
config-per-user = /etc/ocserv/config-per-user
config-per-group = /etc/ocserv/config-per-group

route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"

cisco-client-compat = true

---pam module---
/etc/pam.d/ocserv
#%PAM-1.0
auth sufficient pam_ldap.so debug
account sufficient pam_ldap.so debug
password sufficient pam_ldap.so debug

---affected user---
Please enter your username.
Username:******
POST https://************/auth
> POST /auth HTTP/1.1
> Host: ***********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 234
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version who="vpn">v7.06</version><device-id>linux-64</device-id><auth><username>******</username></auth><group-select>SA</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Max-Age=300; Secure
Content-Type: text/xml
Content-Length: 310
X-Transcend-Version: 1
HTTP body length: (310)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <version who="sg">0.1(1)</version>
< <auth id="main">
< <message>Please enter your password.</message>
< <form method="post" action="/auth">
< <input type="password" name="password" label="Password:" />
< </form></auth>
< </config-auth>
Please enter your password.
Password:
POST https://************/auth
> POST /auth HTTP/1.1
> Host: *********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 209
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version who="vpn">v7.06</version><device-id>linux-64</device-id><auth><password>******</password></auth></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-Version: 1
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Secure
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:6260E353917A21CE78512A34BBD88075DD2B519D; path=/; Secure
HTTP body length: (189)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="complete">
< <version who="sg">0.1(1)</version>
< <auth id="success">
< <title>SSL VPN Service</title></auth></config-auth>
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: ***************
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpn=+oCba/+cb3XchxQ3zYW0nMO37/YB9cGN2JBFzv3FdGFe0Xx1ZNbvPjoejh5VGPlC2EF8VE5fjLcERfN88Vh7L5M7VTNClfPIaHzkCb7jblIgXQ==
> X-CSTP-Version: 1
> X-CSTP-Hostname: box3
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-MTU: 1406
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
> X-DTLS-Master-Secret: B1AB2E0AE81A306466F2F75347A9E1CE8FBDBA4535CCDD6C97D28D990C0207947D0EB83F2145DFCE6C04D701DF947778
> X-DTLS-CipherSuite: OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
> X-DTLS-Accept-Encoding: oc-lz4,lzs
>
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.10.11
X-CSTP-DPD: 90
X-CSTP-Default-Domain: ******************
X-CSTP-Base-MTU: 1355
X-CSTP-Address: 10.130.136.29
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172813
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-Session-ID: afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172823
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-CipherSuite: OC-DTLS1_2-AES128-GCM
X-DTLS-MTU: 1289
X-CSTP-MTU: 1289
X-DTLS-Content-Encoding: oc-lz4
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
DTLS option X-DTLS-Session-ID : afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
DTLS option X-DTLS-DPD : 90
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172823
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 32400
DTLS option X-DTLS-CipherSuite : OC-DTLS1_2-AES128-GCM
DTLS option X-DTLS-MTU : 1289
DTLS option X-DTLS-Content-Encoding : oc-lz4
DTLS initialised. DPD 90, Keepalive 32400
Connected tun0 as 10.130.136.29, using SSL + lz4
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM).

Resolution:
There is a definition in sec-mod.h which limits MAX_GROUPS to 32.
Please, recreate package with #define MAX_GROUPS 65535

Revision history for this message
Nikos Mavrogiannopoulos (nmavrogiannopoulos) wrote :

This is being discussed on the upstream at [0]. A maximum of 65535 doesn't make sense because (1) how could a user chose from such a high number, and (2) it requires a server change as the memory used will be excessive.

[0]. https://gitlab.com/openconnect/ocserv/-/issues/219

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.