Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible PAM Authentication failure on iRODS 4.2.11 #649

Open
iychoi opened this issue Oct 23, 2024 · 5 comments
Open

Possible PAM Authentication failure on iRODS 4.2.11 #649

iychoi opened this issue Oct 23, 2024 · 5 comments
Labels
bug consortium-member
Milestone
3.0.0

Comments

@iychoi
Copy link
Contributor

iychoi commented Oct 23, 2024

I introduced special characters escaping in PAM passwords to go-irodsclient and gocommands after I found the code in python-irodsclient (676b1f8).

PAM authentication worked very well with iRODS >= 4.3, however, it did not work with iRODS 4.2.11.
Especially when there is a special character @ in PAM password, it failed. It worked when I disabled the escaping.

I believe python-irodsclient may have the same issue although I did not test.

The problematic line is at 497 of connection.py.

https://github.com/irods/python-irodsclient/blob/main/irods/connection.py#L497

The pamPassword parameter should be self.account.password to avoid the issue.
@d-w-moore
Copy link
Collaborator

d-w-moore commented Oct 24, 2024
edited
Loading

@iychoi Should I be reading in this, that @ shouldn't be escaped in 4.2.11, but should be (or perhaps is indifferent to being) escaped in 4.3+ ?
Guess I need to run my testing again and possibly re-design to be more thorough.

@iychoi
Copy link
Contributor Author

iychoi commented Oct 24, 2024

Because of the line below, iRODS 4.3.0 will not fall into the _login_pam().
https://github.com/irods/python-irodsclient/blob/main/irods/connection.py#L69

For iRODS servers < 4.3, I believe special characters ("@", "=", "&", ";") should not be escaped when using PamAuthRequest.

@d-w-moore
Copy link
Collaborator

d-w-moore commented Oct 25, 2024
edited
Loading

Because of the line below, iRODS 4.3.0 will not fall into the _login_pam(). https://github.com/irods/python-irodsclient/blob/main/irods/connection.py#L69

For versions of iRODS >= 4.3.0 we should still get into _login_pam() via this line

For iRODS servers < 4.3, I believe special characters ("@", "=", "&", ";") should not be escaped when using PamAuthRequest.

Will look into that... thanks!

@iychoi
Copy link
Contributor Author

iychoi commented Oct 25, 2024

Because of the line below, iRODS 4.3.0 will not fall into the _login_pam(). https://github.com/irods/python-irodsclient/blob/main/irods/connection.py#L69

For versions of iRODS >= 4.3.0 we should still get into _login_pam() via this line

I didn't know that. Then, I believe special characters should not be escaped with using PamAuthRequest regardless of iRODS server versions.
I only tested and confirmed that "@" should not be escaped. "&" and ";" may need to be escaped as they are parsed by XML parser.

@iychoi
Copy link
Contributor Author

iychoi commented Oct 25, 2024

I confirm that all of these characters "@=&;" should not be escaped for iRODS < 4.3. I tested with an account that has all these 4 special characters in the password and it worked when they are not escaped.

@alanking alanking added this to the 3.0.0 milestone Oct 28, 2024
@trel trel mentioned this issue Oct 30, 2024
Open
@alanking alanking added the bug label Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug consortium-member
Milestone
3.0.0
Development

No branches or pull requests
3 participants
@iychoi @alanking @d-w-moore