Ubuntu
openvpn package

***stack smashing detected***: /usr/sbin/openvpn: If libpam_yubico is used for authentication for 2FA.

Bug #1659592 reported by Norbert R.
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
New
Undecided
Unassigned

Bug Description

I have installed OpenVPN with your pam_yubico Module as suggested at https://developers.yubico.com/yubico-pam/ on a fresh installed Ubuntu Server 16.04 LTS and now the OpenVPN crashes every time a user wants to connect since i have added the account line in the PAM Configuration-file for OpenVPN.

before that (without the "account required" line in /etc/pamd.d/openvpn) the setup works fine with my own account which is present at the local machine, now i wanted a test with a new testing user and discovered that the account required line is needed.
So i added it and now it's crashing the openVPN... any suggestions why this happens?

in /etc/openvpn/server.conf:
[...]
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

in /etc/pam.d/openvpn:
auth required pam_yubico.so id=<ID> \
        yubi_attr=<ATTRName> \
        capath=/etc/ssl/certs \
        ldap_uri=ldap://ad.intern.dc.de/ \
        ldapdn=ou=worker,dc=intern,dc=dc,dc=de \
        <email address hidden> ldap_bind_password=<passwd> \
        ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=group,OU=worker,DC=intern,DC=dc,DC=de)) \
        try_first_pass
account required pam_yubico.so

/var/log/openvpn.log says:
[../pam_yubico.c:authorize_user_token_ldap(286)] try bind with: <email address hidden>:[<passwd>]
[../pam_yubico.c:authorize_user_token_ldap(319)] LDAP : look up object base='ou=worker,dc=intern,dc=dc,dc=de' filter='(&(sAMAccountName=vpnuser)(memberOf=CN=group,OU=worker,DC=intern,DC=dc,DC=de))', ask for attribute '<ATTRName>'
[../pam_yubico.c:authorize_user_token_ldap(355)] LDAP : Found 1 values - checking if any of them match '<yubiKey>::<yubiKey>'
[../pam_yubico.c:authorize_user_token_ldap(362)] Token Found :: <yubiKey>
[../pam_yubico.c:pam_sm_authenticate(1095)] done. [Success]
[../pam_yubico.c:pam_sm_acct_mgmt(1128)] pam_sm_acct_mgmt returing PAM_SUCCESS
*** stack smashing detected ***: /usr/sbin/openvpn terminated

Don't know for sure if the Problem is a openvpn or pam_yubico related bug. But it is permanent and doesn't go away with every try i had.

Greetings n-ronny

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openvpn 2.3.10-1ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Thu Jan 26 16:42:41 2017
ExecutablePath: /usr/sbin/openvpn
InstallationDate: Installed on 2017-01-18 (7 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
ProcEnviron:
 TERM=linux
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Norbert R. (n-ronny) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi N-Ronny,
I have never debugged openvpn/pam in that regard myself.
But I hapened to find https://github.com/Yubico/yubico-pam/issues/26 which made me wonder.
The version is clearly older.

Now both (the yubico.so and openvpn) are build with -fstack-protector and -fstack-protector-strong.
https://launchpadlibrarian.net/294924689/buildlog_ubuntu-xenial-amd64.yubico-pam_2.24-1~ppa1~xenial1_BUILDING.txt.gz
https://launchpadlibrarian.net/236028083/buildlog_ubuntu-xenial-amd64.openvpn_2.3.10-1ubuntu2_BUILDING.txt.gz

One other thing you could do is enabling some other (than yubico) pam based auth for openvpn to at least sort out the question if it is yubico or openvpn where you need to look at.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.