From nobody Fri May 28 12:26:02 2021
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2F1BFBF1B4C
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Fri, 28 May 2021 12:26:12 +0000 (UTC)
	(envelope-from pen@lysator.liu.se)
Received: from mail.lysator.liu.se (mail.lysator.liu.se [130.236.254.3])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Fs3nZ3K57z3D67
	for <freebsd-current@freebsd.org>; Fri, 28 May 2021 12:26:09 +0000 (UTC)
	(envelope-from pen@lysator.liu.se)
Received: from mail.lysator.liu.se (localhost [127.0.0.1])
	by mail.lysator.liu.se (Postfix) with ESMTP id 902E940012
	for <freebsd-current@freebsd.org>; Fri, 28 May 2021 14:26:06 +0200 (CEST)
Received: by mail.lysator.liu.se (Postfix, from userid 1004)
	id 7370940008; Fri, 28 May 2021 14:26:06 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	bernadotte.lysator.liu.se
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,AWL,HTML_MESSAGE,
	T_FILL_THIS_FORM_FRAUD_PHISH,T_FILL_THIS_FORM_SHORT autolearn=disabled
	version=3.4.2
X-Spam-Score: -1.0
Received: from smtpclient.apple (unknown [IPv6:2001:6b0:17:f002:1000::498])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.lysator.liu.se (Postfix) with ESMTPSA id 9141440006
	for <freebsd-current@freebsd.org>; Fri, 28 May 2021 14:26:02 +0200 (CEST)
From: Peter Eriksson <pen@lysator.liu.se>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_E681EBCC-535B-4802-8E49-2746D6F3B42A"
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
Subject: pam_radius fails after the latest libradius security patch...
Message-Id: <E48D0DCD-1B3F-4B9C-95A4-77FE1E8AE8B3@lysator.liu.se>
Date: Fri, 28 May 2021 14:26:02 +0200
To: freebsd-current <freebsd-current@freebsd.org>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Rspamd-Queue-Id: 4Fs3nZ3K57z3D67
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=pass (policy=none) header.from=liu.se;
	spf=pass (mx1.freebsd.org: domain of pen@lysator.liu.se designates 130.236.254.3 as permitted sender) smtp.mailfrom=pen@lysator.liu.se
X-Spamd-Result: default: False [-3.50 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 MV_CASE(0.50)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCPT_COUNT_ONE(0.00)[1];
	 RCVD_COUNT_THREE(0.00)[4];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 TO_DN_ALL(0.00)[];
	 RCVD_IN_DNSWL_MED(-0.20)[130.236.254.3:from];
	 DMARC_POLICY_ALLOW(-0.50)[liu.se,none];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 R_SPF_ALLOW(-0.20)[+a:mail.lysator.liu.se];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 ASN(0.00)[asn:2843, ipnet:130.236.0.0/16, country:SE];
	 RCVD_TLS_LAST(0.00)[];
	 MAILMAN_DEST(0.00)[freebsd-current]
X-ThisMailContainsUnwantedMimeParts: Y


--Apple-Mail=_E681EBCC-535B-4802-8E49-2746D6F3B42A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

After upgrading FreeBSD 12.2 in order to get the fix from 'FreeBSD =
Security Advisory FreeBSD-SA-21:12.libradius=E2=80=99 sudo with =
pam_radius has started to fail for us. It correctly seems to communicate =
with the RADIUS server (used to trigger MFA authentication, so I get an =
authentication popup in the Microsoft Authenticar App) after entering =
the unix password first, but then something fails:

% sudo su
Password:
sudo: PAM authentication error: Error in service module
sudo: a password is required


pam.d/sudo config file:

# auth
auth            requisite       pam_unix.so            no_warn =
try_first_pass
auth            requisite       pam_radius.so		use_first_pass

# account
account         include         system

# session
session         required        pam_permit.so

# password
password        include         system


Dunno if the problem is in sudo, libpam, libradius or pam_radius but the =
only thing changed is libradius. And if I replace libradius.so.4 with =
the previous version things work again...

(Considering the spagetti code that sudo is I wouldn=E2=80=99t be =
surprised if the bug is there but still=E2=80=A6)


Am I the only one seeing this?

- Peter


--Apple-Mail=_E681EBCC-535B-4802-8E49-2746D6F3B42A--