yubico-pam
yubico-pam copied to clipboard
Yubico
Double free or corruption in 2.15 when coupled with sudo
Hello,
I'm trying to use my yubikey with sudo but I received a segfault or one of these errors about 4 times out of 5. This is the backtrace that I have received as a result last. If you need any further info please ask and I'll be happy to oblige.
[vicksters@elysium ~]$ sudo su -
YubiKey for `vicksters': <KEY PRESSED AT THIS POINT>
*** Error in `sudo': double free or corruption (!prev): 0x00007fb7000008c0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x72ecf)[0x7fb718ae1ecf]
/usr/lib/libc.so.6(+0x7869e)[0x7fb718ae769e]
/usr/lib/libc.so.6(+0x79377)[0x7fb718ae8377]
/usr/lib/libc.so.6(fclose+0x14d)[0x7fb718ad84dd]
/usr/lib/libnss_files.so.2(_nss_files_gethostbyname4_r+0x2fb)[0x7fb71856bd6b]
/usr/lib/libc.so.6(+0xd0385)[0x7fb718b3f385]
/usr/lib/libc.so.6(getaddrinfo+0xfd)[0x7fb718b4181d]
/usr/lib/libcurl.so.4(+0x40494)[0x7fb7178c3494]
/usr/lib/libcurl.so.4(+0x499c4)[0x7fb7178cc9c4]
/usr/lib/libcurl.so.4(+0x4856b)[0x7fb7178cb56b]
/usr/lib/libpthread.so.0(+0x80a2)[0x7fb7169dd0a2]
/usr/lib/libc.so.6(clone+0x6d)[0x7fb718b5443d]
======= Memory map: ========
7fb6f4000000-7fb6f4021000 rw-p 00000000 00:00 0
7fb6f4021000-7fb6f8000000 ---p 00000000 00:00 0
7fb6fc000000-7fb6fc021000 rw-p 00000000 00:00 0
7fb6fc021000-7fb700000000 ---p 00000000 00:00 0
7fb700000000-7fb700021000 rw-p 00000000 00:00 0
7fb700021000-7fb704000000 ---p 00000000 00:00 0
7fb704000000-7fb704021000 rw-p 00000000 00:00 0
7fb704021000-7fb708000000 ---p 00000000 00:00 0
7fb70ac47000-7fb70ac48000 ---p 00000000 00:00 0
7fb70ac48000-7fb70b448000 rw-p 00000000 00:00 0 [stack:18707]
7fb70c000000-7fb70c021000 rw-p 00000000 00:00 0
7fb70c021000-7fb710000000 ---p 00000000 00:00 0
7fb71282b000-7fb712840000 r-xp 00000000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712840000-7fb712a40000 ---p 00015000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712a40000-7fb712a41000 rw-p 00015000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712a41000-7fb712a42000 ---p 00000000 00:00 0
7fb712a42000-7fb713242000 rw-p 00000000 00:00 0
7fb713242000-7fb713247000 r-xp 00000000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713247000-7fb713446000 ---p 00005000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713446000-7fb713447000 r--p 00004000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713447000-7fb713448000 rw-p 00005000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713448000-7fb713449000 ---p 00000000 00:00 0
7fb713449000-7fb713c49000 rw-p 00000000 00:00 0
7fb713c49000-7fb713c4a000 ---p 00000000 00:00 0
7fb713c4a000-7fb71444a000 rw-p 00000000 00:00 0
7fb71444a000-7fb71444b000 ---p 00000000 00:00 0
7fb71444b000-7fb714c4b000 rw-p 00000000 00:00 0
7fb714c4b000-7fb714c4c000 r-xp 00000000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714c4c000-7fb714e4c000 ---p 00001000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4c000-7fb714e4d000 r--p 00001000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4d000-7fb714e4e000 rw-p 00002000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4e000-7fb714e57000 r-xp 00000000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb714e57000-7fb715056000 ---p 00009000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715056000-7fb715057000 r--p 00008000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715057000-7fb715058000 rw-p 00009000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715058000-7fb71507e000 r-xp 00000000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71507e000-7fb71527d000 ---p 00026000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527d000-7fb71527e000 r--p 00025000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527e000-7fb71527f000 rw-p 00026000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527f000-7fb715280000 rw-p 00000000 00:00 0
7fb715280000-7fb715295000 r-xp 00000000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715295000-7fb715494000 ---p 00015000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715494000-7fb715495000 r--p 00014000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715495000-7fb715496000 rw-p 00015000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715496000-7fb715498000 rw-p 00000000 00:00 0
7fb715498000-7fb7154a0000 r-xp 00000000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7154a0000-7fb71569f000 ---p 00008000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb71569f000-7fb7156a0000 r--p 00007000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7156a0000-7fb7156a1000 rw-p 00008000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7156a1000-7fb7156cf000 rw-p 00000000 00:00 0
7fb7156cf000-7fb7156da000 r-xp 00000000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7156da000-7fb7158da000 ---p 0000b000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158da000-7fb7158db000 r--p 0000b000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158db000-7fb7158dc000 rw-p 0000c000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158dc000-7fb7158e8000 rw-p 00000000 00:00 0
7fb7158e8000-7fb7158ef000 r-xp 00000000 08:03 2507013 /usr/lib/librt-2.18.so
7fb7158ef000-7fb715aee000 ---p 00007000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715aee000-7fb715aef000 r--p 00006000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715aef000-7fb715af0000 rw-p 00007000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715af0000-7fb715b00000 r-xp 00000000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715b00000-7fb715d00000 ---p 00010000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d00000-7fb715d01000 r--p 00010000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d01000-7fb715d02000 rw-p 00011000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d02000-7fb715d1d000 r-xp 00000000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715d1d000-7fb715f1d000 ---p 0001b000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1d000-7fb715f1e000 r--p 0001b000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1e000-7fb715f1f000 rw-p 0001c000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1f000-7fb715f33000 r-xp 00000000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb715f33000-7fb716132000 ---p 00014000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716132000-7fb716133000 r--p 00013000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716133000-7fb716134000 rw-p 00014000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716134000-7fb716136000 rw-p 00000000 00:00 0
7fb716136000-7fb716316000 r-xp 00000000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716316000-7fb716516000 ---p 001e0000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716516000-7fb716531000 r--p 001e0000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716531000-7fb71653c000 rw-p 001fb000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb71653c000-7fb716540000 rw-p 00000000 00:00 0
7fb716540000-7fb7165a2000 r-xp 00000000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7165a2000-7fb7167a1000 ---p 00062000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167a1000-7fb7167a5000 r--p 00061000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167a5000-7fb7167ac000 rw-p 00065000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167ac000-7fb7167d3000 r-xp 00000000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7167d3000-7fb7169d3000 ---p 00027000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d3000-7fb7169d4000 r--p 00027000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d4000-7fb7169d5000 rw-p 00028000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d5000-7fb7169ed000 r-xp 00000000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb7169ed000-7fb716bed000 ---p 00018000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bed000-7fb716bee000 r--p 00018000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bee000-7fb716bef000 rw-p 00019000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bef000-7fb716bf3000 rw-p 00000000 00:00 0
7fb716bf3000-7fb716bf5000 r-xp 00000000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716bf5000-7fb716df4000 ---p 00002000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df4000-7fb716df5000 r--p 00001000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df5000-7fb716df6000 rw-p 00002000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df6000-7fb716e00000 r-xp 00000000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb716e00000-7fb716fff000 ---p 0000a000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb716fff000-7fb717000000 r--p 00009000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb717000000-7fb717001000 rw-p 0000a000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb717001000-7fb717017000 r-xp 00000000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717017000-7fb717216000 ---p 00016000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717216000-7fb717217000 r--p 00015000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717217000-7fb717218000 rw-p 00016000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717218000-7fb717228000 r-xp 00000000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717228000-7fb717427000 ---p 00010000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717427000-7fb717428000 r--p 0000f000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717428000-7fb717429000 rw-p 00010000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717429000-7fb717437000 r-xp 00000000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717437000-7fb717636000 ---p 0000e000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717636000-7fb717637000 r--p 0000d000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717637000-7fb717638000 rw-p 0000e000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717638000-7fb717680000 r-xp 00000000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717680000-7fb717880000 ---p 00048000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717880000-7fb717881000 r--p 00048000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717881000-7fb717883000 rw-p 00049000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717883000-7fb7178e4000 r-xp 00000000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb7178e4000-7fb717ae4000 ---p 00061000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae4000-7fb717ae6000 r--p 00061000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae6000-7fb717ae7000 rw-p 00063000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae7000-7fb717aef000 r-xp 00000000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717aef000-7fb717cee000 ---p 00008000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cee000-7fb717cef000 r--p 00007000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cef000-7fb717cf0000 rw-p 00008000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cf0000-7fb717cf8000 r-xp 00000000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717cf8000-7fb717ef7000 ---p 00008000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef7000-7fb717ef8000 r--p 00007000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef8000-7fb717ef9000 rw-p 00008000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef9000-7fb717f0e000 r-xp 00000000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb717f0e000-7fb71810d000 ---p 00015000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810d000-7fb71810e000 r--p 00014000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810e000-7fb71810f000 rw-p 00015000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810f000-7fb71811c000 r-xp 00000000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71811c000-7fb71831b000 ---p 0000d000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831b000-7fb71831c000 r--p 0000c000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831c000-7fb71831d000 rw-p 0000d000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831d000-7fb718361000 r-xp 00000000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718361000-7fb718560000 ---p 00044000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718560000-7fb718561000 r--p 00043000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718561000-7fb718564000 rw-p 00044000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718564000-7fb718567000 rw-p 00000000 00:00 0
7fb718567000-7fb718572000 r-xp 00000000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718572000-7fb718772000 ---p 0000b000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718772000-7fb718773000 r--p 0000b000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718773000-7fb718774000 rw-p 0000c000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718774000-7fb718a6f000 r--p 00000000 08:03 2527735 /usr/lib/locale/locale-archive
7fb718a6f000-7fb718c11000 r-xp 00000000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718c11000-7fb718e10000 ---p 001a2000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e10000-7fb718e14000 r--p 001a1000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e14000-7fb718e16000 rw-p 001a5000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e16000-7fb718e1a000 rw-p 00000000 00:00 0
7fb718e1a000-7fb718e1d000 r-xp 00000000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb718e1d000-7fb71901c000 ---p 00003000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901c000-7fb71901d000 r--p 00002000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901d000-7fb71901e000 rw-p 00003000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901e000-7fb719020000 r-xp 00000000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719020000-7fb71921f000 ---p 00002000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb71921f000-7fb719220000 r--p 00001000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719220000-7fb719221000 rw-p 00002000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719221000-7fb719241000 r-xp 00000000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719426000-7fb71942a000 rw-p 00000000 00:00 0
7fb71943e000-7fb719440000 rw-p 00000000 00:00 0
7fb719440000-7fb719441000 r--p 0001f000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719441000-7fb719442000 rw-p 00020000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719442000-7fb719443000 rw-p 00000000 00:00 0
7fb719443000-7fb719462000 r-xp 00000000 08:03 2508550 /usr/bin/sudo
7fb719661000-7fb719662000 r--p 0001e000 08:03 2508550 /usr/bin/sudo
7fb719662000-7fb719664000 rw-p 0001f000 08:03 2508550 /usr/bin/sudo
7fb719664000-7fb719665000 rw-p 00000000 00:00 0
7fb7199d7000-7fb719a60000 rw-p 00000000 00:00 0 [heap]
7ffffa0cc000-7ffffa0ed000 rw-p 00000000 00:00 0 [stack]
7ffffa142000-7ffffa144000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Hi,
[vicks@mordor ~]$ uname -a Linux mordor 3.11.5-1-ARCH #1 SMP PREEMPT Mon Oct 14 08:31:43 CEST 2013 x86_64 GNU/Linux
I installed from the git sources using the arch package located at: https://aur.archlinux.org/packages/yubico-pam-git
Thanks,
Vicks
what version of yubico-c-client is running on your system? also latest from git?
/klas
Hello,
I just tried to reproduce this with yubico-pam@279e07bb5e9c2df202e5dfbb1290a45620bde1f1 and yubico-c-client@539af7574f24da154ec9f3463459c8c98cda70ff and don't get any failures at all.
can you share more details about your configuration? what is the line you're using in your pam-conf (with id and key masked out)
running with debug enabled and the whole debug output would be helpful as well. if you touch /var/run/pam-debug.log it will put all pam debugging there.
/klas
I am seeing a similar issue on Ubuntu 13.10 using the latest versions of libpam-yubico and libyubikey currently available: ii libpam-yubico 2.13-1 amd64 two-factor password and YubiKey OTP PAM module ii libyubikey0 1.8-1 amd64 Yubikey OTP handling library runtime
I also took the trouble of building yubico-pam and its dependencies (namely yubico-c-client and yubikey-personalization) from git clones as of 2014-02-18 and am still able to reproduce it. In my case, there are two symptoms:
- 'su - $username' crashes with a segfault
- You can't log in as that username on the console of the system (/var/log/auth.log reports a double free in /bin/login)
By adding my own debugging printf's I was able to trace the issue down into something in the area of curl's mutli-threaded request processing for multiple URLs. By either commenting out all but one of the five apiX.yubico.com urls in the inital part of ykclient.c, or by specifying a single url=http://api.yubico.com/
Per klali's last comment I ran with the debug trace and here it is (suitably redacted): [pam_yubico.c:parse_cfg(736)] called. [pam_yubico.c:parse_cfg(737)] flags 0 argc 5 [pam_yubico.c:parse_cfg(739)] argv[0]=mode=client [pam_yubico.c:parse_cfg(739)] argv[1]=id=11897 [pam_yubico.c:parse_cfg(739)] argv[2]=key=[redacted] [pam_yubico.c:parse_cfg(739)] argv[3]=authfile=/etc/yubikey [pam_yubico.c:parse_cfg(739)] argv[4]=debug [pam_yubico.c:parse_cfg(740)] id=[redacted] [pam_yubico.c:parse_cfg(741)] key=[redacted] [pam_yubico.c:parse_cfg(742)] debug=1 [pam_yubico.c:parse_cfg(743)] alwaysok=0 [pam_yubico.c:parse_cfg(744)] verbose_otp=0 [pam_yubico.c:parse_cfg(745)] try_first_pass=0 [pam_yubico.c:parse_cfg(746)] use_first_pass=0 [pam_yubico.c:parse_cfg(747)] authfile=/etc/yubikey [pam_yubico.c:parse_cfg(748)] ldapserver=(null) [pam_yubico.c:parse_cfg(749)] ldap_uri=(null) [pam_yubico.c:parse_cfg(750)] ldapdn=(null) [pam_yubico.c:parse_cfg(751)] user_attr=(null) [pam_yubico.c:parse_cfg(752)] yubi_attr=(null) [pam_yubico.c:parse_cfg(753)] yubi_attr_prefix=(null) [pam_yubico.c:parse_cfg(754)] url=(null) [pam_yubico.c:parse_cfg(755)] capath=(null) [pam_yubico.c:parse_cfg(756)] token_id_length=12 [pam_yubico.c:parse_cfg(757)] mode=client [pam_yubico.c:parse_cfg(758)] chalresp_path=(null) [pam_yubico.c:pam_sm_authenticate(797)] get user returned: ahemsath [pam_yubico.c:pam_sm_authenticate(904)] conv returned 44 bytes [pam_yubico.c:pam_sm_authenticate(922)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(929)] OTP: [redacted] ID: [redacted]
Running the su - $username via gdb shows the crash as being somewhere in libcurl:
#0 0x00007faa600a9f77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007faa600ad5e8 in __GI_abort () at abort.c:90
#2 0x00007faa600e74fb in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7faa601fb240 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007faa600f3996 in malloc_printerr (ptr=0x7faa50000b10, str=0x7faa601fb370 "double free or corruption (out)", action=3) at malloc.c:4923
#4 _int_free (av=
Please let me know if there's any other debugging info I can provide. I apologize if this issue report should have gone under the yubico-c-client project since it seems that is where the crash is happening, but this issue was already open and it seems related.
Hello,
I'm still failing at reproducing this (but very much want to) in a virtual environment (both 32bit and 64bit). Can you reproduce it in a clean environment with a minimal amount of packages and configuration? Do you have anything non-standard in your nsswitch.conf? Do you have any more pam modules enabled?
/klas
Ubuntu 14.04 64bit + libpam-yubico 2.16.1 from ppa:yubico/stable still segfaults. adding url=http://api.yubico.com/ solves the problem for me.
Thanks beb4ch for testing! We were never able to reproduce it, but if you are saying the PPA breaks with 14.04 we can try again. Can you cut'n'paste the PAM configuration you use?
same here (also ubuntu 14.04). First login to ssh is working good, but the second one I get a segfault (about 4 times) This is in my /pam.d/sudo (same as in common-auth) auth sufficient pam_yubico.so id=xxxx key=xxxxx authfile=/etc/yubikey_mappings/authorized_yubikeys
I thought that I had commented on this yesterday but I guess I never hit submit. Anyway, I can confirm what beb4ch and burton have reported. The crash continues in Ubuntu 14.04 with either the YubiKey packages that come from Ubuntu package repositories, or the ones from ppa:yubico/stable.
I tried to get set up to build from the latest git clones, but I ran into a problem where the Yubiclient depended on libcurl; libcurl3 is the version of curl that Ubuntu installs by default, but there is no 14.04 libcurl3-dev package available. There are only libcurl4-dev packages (in three different flavors, depending on which ssl/tls implementation you want to use). Please advise on how you are configuring your build environment on Ubuntu 14.04.
I apologize for not following up on this earlier, but my organization is no longer using Yubikeys for 2FA so I had to find time to do this testing outside of work.
Sorry guys for commenting so late. My pam configuration line is just like what burton1982 said above, I just have my mappings file in a different location (/etc/yubikey_mappings). Sometimes things work if I add the url=http://api.yubico.com/ option but now it seems that even that doesn't solve the problem always.
still there (sudo su): segfault at 1d ip 00007fd9b5951c4c sp 00007fd9ad0d9458 error 4 in libc-2.19.so[7fd9b58ce000+1bc000]
No news, but we're aware that it's broken and will spend time on this when we have time to spend on this project..
I'm not sure if this is the same bug but I'm seeing something similar on Debian Jessie Beta 2 (x86_64). Both console (/bin/login) and X (Gnome Display Manager) logins crash with a segfault whenever I submit an OTP password at the 'Yubikey for
$ grep -v ^# /etc/pam.d/common-auth
auth sufficient pam_yubico.so debug id=12345 urllist=https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
The problem seems to appear regardless of whether debug or urllist arguments are present in the arguments to pam_yubico.so. Changing id to something made up doesn't seem to make a difference either.
$ sudo gdb -q /bin/login
Reading symbols from /bin/login...(no debugging symbols found)...done.
(gdb) set auto-load safe-path /
(gdb) r
Starting program: /bin/login
Warning: couldn't activate thread debugging using libthread_db: Cannot find new threads: generic error
Warning: couldn't activate thread debugging using libthread_db: Cannot find new threads: generic error
warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available.
debian login: XXXX
[../pam_yubico.c:parse_cfg(764)] called.
[../pam_yubico.c:parse_cfg(765)] flags 0 argc 3
[../pam_yubico.c:parse_cfg(767)] argv[0]=debug
[../pam_yubico.c:parse_cfg(767)] argv[1]=id=12345
[../pam_yubico.c:parse_cfg(767)] argv[2]=urllist=https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
[../pam_yubico.c:parse_cfg(768)] id=12345
[../pam_yubico.c:parse_cfg(769)] key=(null)
[../pam_yubico.c:parse_cfg(770)] debug=1
[../pam_yubico.c:parse_cfg(771)] alwaysok=0
[../pam_yubico.c:parse_cfg(772)] verbose_otp=0
[../pam_yubico.c:parse_cfg(773)] try_first_pass=0
[../pam_yubico.c:parse_cfg(774)] use_first_pass=0
[../pam_yubico.c:parse_cfg(775)] authfile=(null)
[../pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(779)] user_attr=(null)
[../pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(782)] url=(null)
[../pam_yubico.c:parse_cfg(783)] urllist=https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
[../pam_yubico.c:parse_cfg(784)] capath=(null)
[../pam_yubico.c:parse_cfg(785)] token_id_length=12
[../pam_yubico.c:parse_cfg(786)] mode=client
[../pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(830)] get user returned: XXXX
YubiKey for `XXXX':
[../pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes
[../pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(997)] OTP: abcdef0123456vkvirbthfvtrttjvkebehirgglhlrjli ID: abcdef0123456
[New LWP 5063]
[New LWP 5064]
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 5064]
__GI_fgets_unlocked (buf=0x7fffee6cf730 "127.0.0.1", n=n@entry=1032, fp=0x7fffee6cf730) at iofgets_u.c:53
53 iofgets_u.c: No such file or directory.
(gdb) thread
[Current thread is 3 (LWP 5064)]
(gdb) bt
#0 __GI_fgets_unlocked (buf=0x7fffee6cf730 "127.0.0.1", n=n@entry=1032, fp=0x7fffee6cf730) at iofgets_u.c:53
#1 0x00007fffeeed54ca in get_contents (stream=<optimized out>, len=1032, linebuf=0x7fffee6cf730 "127.0.0.1") at nss_files/files-XXX.c:201
#2 internal_getent (result=result@entry=0x7fffee6cf690, buffer=buffer@entry=0x7fffee6cf710 "\177", buflen=buflen@entry=1064,
errnop=errnop@entry=0x7fffee6cfc70, herrnop=herrnop@entry=0x7fffee6cfc90, af=af@entry=0, flags=flags@entry=0) at nss_files/files-XXX.c:246
#3 0x00007fffeeed6558 in _nss_files_gethostbyname4_r (name=name@entry=0x55555577e750 "api2.example.com", pat=pat@entry=0x7fffee6cfc80,
buffer=buffer@entry=0x7fffee6cf710 "\177", buflen=buflen@entry=1064, errnop=errnop@entry=0x7fffee6cfc70, herrnop=herrnop@entry=0x7fffee6cfc90,
ttlp=ttlp@entry=0x0) at nss_files/files-hosts.c:402
#4 0x00007ffff74cae81 in gaih_inet (name=<optimized out>, name@entry=0x55555577e750 "api2.example.com", service=<optimized out>,
req=req@entry=0x5555557cc7a0, pai=pai@entry=0x7fffee6cfd68, naddrs=naddrs@entry=0x7fffee6cfd64) at ../sysdeps/posix/getaddrinfo.c:850
#5 0x00007ffff74cd03d in __GI_getaddrinfo (name=0x55555577e750 "api2.example.com", service=service@entry=0x7fffee6cff00 "443",
hints=hints@entry=0x5555557cc7a0, pai=pai@entry=0x7fffee6cfeb0) at ../sysdeps/posix/getaddrinfo.c:2406
#6 0x00007ffff4fc4df7 in Curl_getaddrinfo_ex (nodename=<optimized out>, servname=servname@entry=0x7fffee6cff00 "443",
hints=hints@entry=0x5555557cc7a0, result=result@entry=0x5555557cc798) at curl_addrinfo.c:128
#7 0x00007ffff4fd202a in getaddrinfo_thread (arg=arg@entry=0x5555557cc778) at asyn-thread.c:279
#8 0x00007ffff4fcf7eb in curl_thread_create_thunk (arg=<optimized out>) at curl_threads.c:59
#9 0x00007ffff60860a4 in start_thread (arg=0x7fffee6d0700) at pthread_create.c:309
#10 0x00007ffff74dfccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) thread 2
[Switching to thread 2 (LWP 5063)]
#0 memcmp (s1=<optimized out>, s2=<optimized out>, len=<optimized out>) at ../string/memcmp.c:358
358 ../string/memcmp.c: No such file or directory.
(gdb) bt
#0 memcmp (s1=<optimized out>, s2=<optimized out>, len=<optimized out>) at ../string/memcmp.c:358
#1 0x00007ffff7df0d4d in _dl_load_cache_lookup (name=name@entry=0x7fffeeed0630 "libnss_myhostname.so.2") at dl-cache.c:205
#2 0x00007ffff7de4331 in _dl_map_object (loader=loader@entry=0x7ffff7fdd4e8, name=name@entry=0x7fffeeed0630 "libnss_myhostname.so.2",
type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048191, nsid=<optimized out>) at dl-load.c:2468
#3 0x00007ffff7deea25 in dl_open_worker (a=a@entry=0x7fffeeed03d8) at dl-open.c:235
#4 0x00007ffff7dea8b4 in _dl_catch_error (objname=objname@entry=0x7fffeeed03c8, errstring=errstring@entry=0x7fffeeed03d0,
mallocedp=mallocedp@entry=0x7fffeeed03c7, operate=operate@entry=0x7ffff7dee970 <dl_open_worker>, args=args@entry=0x7fffeeed03d8)
at dl-error.c:187
#5 0x00007ffff7dee43b in _dl_open (file=0x7fffeeed0630 "libnss_myhostname.so.2", mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=1,
argv=0x7fffffffe6d8, env=0x555555762030) at dl-open.c:661
#6 0x00007ffff7515402 in do_dlopen (ptr=ptr@entry=0x7fffeeed0600) at dl-libc.c:87
#7 0x00007ffff7dea8b4 in _dl_catch_error (objname=0x7fffeeed05e0, errstring=0x7fffeeed05e8, mallocedp=0x7fffeeed05df,
operate=0x7ffff75153c0 <do_dlopen>, args=0x7fffeeed0600) at dl-error.c:187
#8 0x00007ffff751549f in dlerror_run (operate=operate@entry=0x7ffff75153c0 <do_dlopen>, args=args@entry=0x7fffeeed0600) at dl-libc.c:46
#9 0x00007ffff7515511 in __GI___libc_dlopen_mode (name=name@entry=0x7fffeeed0630 "libnss_myhostname.so.2", mode=mode@entry=-2147483647)
at dl-libc.c:163
#10 0x00007ffff74ff144 in nss_load_library (ni=0x5555557a0310) at nsswitch.c:358
#11 0x00007ffff74ff8b8 in __GI___nss_lookup_function (ni=ni@entry=0x5555557a0310, fct_name=fct_name@entry=0x7ffff755c887 "gethostbyname4_r")
at nsswitch.c:466
#12 0x00007ffff74cadd3 in gaih_inet (name=<optimized out>, name@entry=0x55555577db00 "api1.example.com", service=<optimized out>,
req=req@entry=0x5555557cb730, pai=pai@entry=0x7fffeeed0d68, naddrs=naddrs@entry=0x7fffeeed0d64) at ../sysdeps/posix/getaddrinfo.c:841
#13 0x00007ffff74cd03d in __GI_getaddrinfo (name=0x55555577db00 "api1.example.com", service=service@entry=0x7fffeeed0f00 "443",
hints=hints@entry=0x5555557cb730, pai=pai@entry=0x7fffeeed0eb0) at ../sysdeps/posix/getaddrinfo.c:2406
#14 0x00007ffff4fc4df7 in Curl_getaddrinfo_ex (nodename=<optimized out>, servname=servname@entry=0x7fffeeed0f00 "443",
hints=hints@entry=0x5555557cb730, result=result@entry=0x5555557cb728) at curl_addrinfo.c:128
#15 0x00007ffff4fd202a in getaddrinfo_thread (arg=arg@entry=0x5555557cb708) at asyn-thread.c:279
#16 0x00007ffff4fcf7eb in curl_thread_create_thunk (arg=<optimized out>) at curl_threads.c:59
#17 0x00007ffff60860a4 in start_thread (arg=0x7fffeeed1700) at pthread_create.c:309
#18 0x00007ffff74dfccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) thread 1
[Switching to thread 1 (LWP 5059)]
#0 0x00007ffff74d8f33 in select () at ../sysdeps/unix/syscall-template.S:81
81 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0 0x00007ffff74d8f33 in select () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff5a6ac1f in ?? () from /usr/lib/x86_64-linux-gnu/libykclient.so.3
#2 0x00007ffff5a6bb30 in ykclient_request_process () from /usr/lib/x86_64-linux-gnu/libykclient.so.3
#3 0x00007ffff5a6bbf9 in ykclient_request () from /usr/lib/x86_64-linux-gnu/libykclient.so.3
#4 0x00007ffff5c74d3f in pam_sm_authenticate () from /lib/security/pam_yubico.so
#5 0x00007ffff7bcff8f in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#6 0x00007ffff7bcf85d in pam_authenticate () from /lib/x86_64-linux-gnu/libpam.so.0
#7 0x0000555555557821 in ?? ()
#8 0x00007ffff741bb45 in __libc_start_main (main=0x555555557190, argc=1, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8) at libc-start.c:287
#9 0x0000555555558b6f in ?? ()
(gdb)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.0 (jessie)
Release: 8.0
Codename: jessie
$ dpkg -l |egrep 'libpam|yubi'
ii libpam-gnome-keyring 3.14.0-1+b1 amd64 PAM module to unlock the GNOME keyring upon login
ii libpam-modules:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.1 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 215-8 amd64 system and service manager - PAM module
ii libpam-yubico 2.17-2 amd64 two-factor password and YubiKey OTP PAM module
ii libpam0g:amd64 1.1.8-3.1 amd64 Pluggable Authentication Modules library
ii libyubikey-dev 1.12-2 amd64 Yubikey OTP library development files
ii libyubikey0 1.12-2 amd64 Yubikey OTP handling library runtime
ii yubikey-personalization 1.16.0-1 amd64 Personalization tool for Yubikey OTP tokens
ii yubikey-personalization-gui 3.1.16-1 amd64 Graphical personalization tool for YubiKey tokens
Same on Ubuntu 14.04 and latest PPA.
Some Google juice
☁ ~ sudo apt-get update
YubiKey for `filippo':
[1] 32360 segmentation fault sudo apt-get update
and the workaround:
add urllist=https://api.yubico.com/wsapi/2.0/verify to the PAM file
I can confirm the parallel DNS resolution of the default API endpoints is what causes the crash. The default templates from https://github.com/Yubico/yubico-c-client/blob/master/ykclient.c#L91
const char *default_url_templates[] = {
"https://api.yubico.com/wsapi/2.0/verify",
"https://api2.yubico.com/wsapi/2.0/verify",
"https://api3.yubico.com/wsapi/2.0/verify",
"https://api4.yubico.com/wsapi/2.0/verify",
"https://api5.yubico.com/wsapi/2.0/verify",
};
Reducing the URL template list (urllist) to a single hostname, as suggested in the previous comment, makes the problem go away.
I've been able to reproduce this, which makes me hopeful.. I can only reproduce this using a very slow resolver, otherwise it seems curl only uses one thread for resolving the hosts.
in https://sourceware.org/bugzilla/show_bug.cgi?id=10652 there is a description of crashes that to me seem very similar to this (comment 12).
What seems to happen here is that something not linked with pthread (login, sudo...) calls the pam module, calling yubico-c-client, which in turn uses curl. curl is using a threaded resolver nowadays on some platforms, which sometimes calls getaddrinfo from several threads, causing this issue to show.
The nscd workaround works for me, but I'm a little nervous about it since hiccup or failure in that service could render sudo inoperable. People who are using urllist=etc. where precisely are you setting that? I'm assuming you modify and re-compile ykclient.c with a single entry in urllist=
@joeshockman In the relevant PAM configuration file under /etc/pam.d/, appended as a parameter to the pam_yubico.so line. If you were to modify the example configuration at https://developers.yubico.com/yubico-pam/, it would look something like this:
auth sufficient pam_yubico.so id=[Your API Client ID] debug urllist=https://api.yubico.com/wsapi/2.0/verify
Also see the docs at https://github.com/Yubico/yubico-pam/blob/master/pam_yubico.8.txt#L41
On 14.04.2 installing nscd resolved my sudo issue.. but it was a pain because my server wasn't easy to manage withouth sudo - had to go to the server and boot a live cd to fix the pam.d.
Adding urllist= did not resolve my issue, but adding url= did but in the end I went for the more safe nscd solution.
On Archlinux, I can confirm that adding urllist=https://api.yubico.com/wsapi/2.0/verify to the pam config line fixed the segfault issues I was getting.
Works successfully 100% of the time (so far!) vs 9/10 segfaulting previously.
Ubuntu 14.04: urllist=https://api.yubico.com/wsapi/2.0/verify solves the segfault problem!
