Ubuntu
shadow package

pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol

Bug #2068729 reported by Real Ursus
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-radius-auth (Ubuntu)
Triaged
Undecided
Unassigned
shadow (Ubuntu)
New
Undecided
Unassigned

Bug Description

New and fully updated 24.04 LTS with disabled IPv6 (The CISA secure config states that IPv6 is to be disabled unless it's in use).

lsb_release -rd:
No LSB modules are available.
Description: Ubuntu 24.04 LTS
Release: 24.04

apt-cache policy libpam-radius-auth
libpam-radius-auth:
  Installed: 2.0.1-1
  Candidate: 2.0.1-1
  Version table:
 *** 2.0.1-1 500
        500 http://au.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
        100 /var/lib/dpkg/status

What you expected to happen:
Based on https://github.com/FreeRADIUS/pam_radius/blob/master/src/pam_radius_auth.c, the pam_radius_auth module must support ipv6 and ipv4 options.

/etc/pam.d/sshd:
auth sufficient pam_radius_auth.so conf=/etc/pam_radius_auth.conf retry=3 ipv4=yes ipv6=no debug

What happened instead:
2024-06-07T22:07:57.499460+10:00 ubuntu sshd[584305]: pam_radius_auth: 2.0.1, built on Aug 19 2023 at 14:08:42
2024-06-07T22:07:57.499672+10:00 ubuntu sshd[584305]: pam_radius_auth: unrecognized option 'ipv4=yes'
2024-06-07T22:07:57.499880+10:00 ubuntu sshd[584305]: pam_radius_auth: unrecognized option 'ipv6=no'
2024-06-07T22:07:57.500051+10:00 ubuntu sshd[584305]: pam_radius_auth: DEBUG: conf_file='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=3 localifdown=no client_id='' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
2024-06-07T22:07:57.500279+10:00 ubuntu sshd[584305]: pam_radius_auth: Got user name: 'test'
2024-06-07T22:07:57.502892+10:00 ubuntu sshd[584305]: pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol

See original description
Revision history for this message
Real Ursus (real-ursus) wrote (last edit ):

Please note that
```git clone https://github.com/FreeRADIUS/pam_radius
cd pam_radius
make deb && dpkg -i ../libpam-radius-auth_2.0.1_amd64.deb
```
is working as expected:
2024-06-07T22:45:13.395293+10:00 ubuntu sshd[1457]: pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on Jun 7 2024 at 12:38:28
2024-06-07T22:45:13.395508+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[0] = 'conf=/etc/pam_radius_auth.conf'
2024-06-07T22:45:13.395585+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[1] = 'retry=3'
2024-06-07T22:45:13.395642+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[2] = 'ipv4=yes'
2024-06-07T22:45:13.395709+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[3] = 'ipv6=no'
2024-06-07T22:45:13.395809+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[4] = 'debug'
2024-06-07T22:45:13.395968+10:00 ubuntu sshd[1457]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=3 localifdown=no client_id='' ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no

description: updated
Revision history for this message
Lena Voytek (lvoytek) wrote :

Thank you for the bug report. The current version of libpam-radius-auth is missing the ipv4 and ipv6 settings for pam configurations. This was fixed upstream here: https://github.com/FreeRADIUS/pam_radius/commit/8d373539bb9f13b0abfe8bcae0095a930a00fad0

I created a PPA to test that adding this commit fixes the issue here: https://launchpad.net/~lvoytek/+archive/ubuntu/libpam-radius-auth-ipv4-6-yes-no
If you would like to test it you can run the following commands:

sudo add-apt-repository ppa:lvoytek/libpam-radius-auth-ipv4-6-yes-no
sudo apt update
sudo apt upgrade

Also of note, this bug seems to match up with (LP: #2065737)

Changed in libpam-radius-auth (Ubuntu):
status: New → Triaged
Revision history for this message
Real Ursus (real-ursus) wrote :

Hi Lena,
Thank you for looking into the problem.
>I I created a PPA to test that adding this commit fixes the issue here: https://launchpad.net/~lvoytek/+archive/ubuntu/libpam-radius-auth-ipv4-6-yes-no

I am afraid that I was misunderstood...
As I wrote, github version is working as expected but the upstream is not.
I've suggested syncing upstream with github (which already respected ipvX arguments)

Here is my previous post:
 Please note that
```git clone https://github.com/FreeRADIUS/pam_radius
cd pam_radius
make deb && dpkg -i ../libpam-radius-auth_2.0.1_amd64.deb
```
is working as expected:
2024-06-07T22:45:13.395293+10:00 ubuntu sshd[1457]: pam_radius_auth: 2.0.1 DEVELOPER BUILD - (git #d802da75), built on Jun 7 2024 at 12:38:28
2024-06-07T22:45:13.395508+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[0] = 'conf=/etc/pam_radius_auth.conf'
2024-06-07T22:45:13.395585+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[1] = 'retry=3'
2024-06-07T22:45:13.395642+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[2] = 'ipv4=yes'
2024-06-07T22:45:13.395709+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[3] = 'ipv6=no'
2024-06-07T22:45:13.395809+10:00 ubuntu sshd[1457]: pam_radius_auth: _pam_parse: argv[4] = 'debug'
2024-06-07T22:45:13.395968+10:00 ubuntu sshd[1457]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=3 localifdown=no client_id='' ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no

Revision history for this message
Paride Legovini (paride) wrote :

Hello, Lena understanding of the issue is correct, maybe there is some confusion around terminology. In particular: the github version is what we call "upstream".

Lena picked the upstream commit adding support for ipv4= and ipv6= and applied it to the Noble packaged version of pam_radius. That's in the PPA to test. See also [1] for how upgrades of stable Ubuntu releases work.

[1] https://wiki.ubuntu.com/StableReleaseUpdates

Revision history for this message
Real Ursus (real-ursus) wrote :

If we set aside the specific terminology for a moment, it appears that the version of the software available on GitHub is functioning as expected, while the version available through the “apt” package manager is not.
My recommendation would be to consider updating the “apt” package directly, without the need to involve any personal or third-party “PPA”.
I hope this suggestion proves helpful.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Real, Lena is trying to fix the bug you reported. It would be helpful if you could test the fix.

I suggest reading the https://wiki.ubuntu.com/StableReleaseUpdates page to better understand our process.

Thanks

Revision history for this message
Real Ursus (real-ursus) wrote :

While github version is working as expected.

libpam-radius-auth_2.0.1-1ubuntu0.22.04.1~ppa1_amd64.deb version is giving me:

user@ubuntu:~$ sudo vi /etc/passwd
free(): double free detected in tcache 2
Aborted (core dumped)

Could we please clone all github version not only add-ipv4-and-ipv6-yes-no-options.patch ?

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Real, not sure if you read the documentation page linked twice here (by Paride and Seth), but in Ubuntu stable releases we do not import any new version from github as you are suggesting. Stable releases are supposed to be stable, therefore, we ship target fixes for the bugs present there (importing a full new release would not include just bug fixes, but it may introduce new functionalities and also new bugs!).

But thanks for testing the package provided by Lena. We need to double-check if something is missing or if it requires any modification. Lena, would you like to check that out?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.