Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-interactive sessions broken when groups config option is used and motd printed #206

Closed
mldailey opened this issue Oct 14, 2021 · 1 comment · Fixed by #210
Closed

Non-interactive sessions broken when groups config option is used and motd printed #206

mldailey opened this issue Oct 14, 2021 · 1 comment · Fixed by #210

Comments

@mldailey
Copy link
Contributor

Summary

The patch in pull #205 fixed the motd display for interactive sessions, but breaks non-interactive sessions like sftp

Steps to reproduce

  1. Set up login_duo.conf with both the "groups" config and "motd = yes"
  2. Log in via sftp as a user who is not in the specified group(s) - sftp fails with "Received message too long"

Specs

  • OS version (ie CENTOS 7 or Ubuntu 14): Ubuntu 18.04
  • OS arch (ie 32 or 64): 64
  • Using pam_duo or login_duo: login_duo

Cause

This is caused because the motd prints regardless of whether the session is interactive or non-interactive. The test for this and setting of the "headless" variable is later in duo_auth(). It seems the best fix is to do the detection and setting of this variable earlier.

I have done minimal testing of the patch below and it appears to fix the issue for me. It would be great, though, to have someone that knows the code better make sure this won't break something else.

Patch

--- login_duo.c.orig	2021-10-14 13:34:13.015691416 -0400
+++ login_duo.c	2021-10-14 13:51:10.788484756 -0400
@@ -195,6 +195,13 @@
 #endif

     prompts = cfg.prompts;
+
+    /* Detect non-interactive sessions */
+    if ((p = getenv("SSH_ORIGINAL_COMMAND")) != NULL ||
+        !isatty(STDIN_FILENO)) {
+        headless = 1;
+    }
+
     /* Check group membership. */
     matched = duo_check_groups(pw, cfg.groups, cfg.groups_cnt);
     if (matched == -1) {
@@ -253,13 +260,11 @@
     }

     /* Special handling for non-interactive sessions */
-    if ((p = getenv("SSH_ORIGINAL_COMMAND")) != NULL ||
-        !isatty(STDIN_FILENO)) {
+    if (headless) {
         /* Try to support automatic one-shot login */
         duo_set_conv_funcs(duo, NULL, NULL, NULL);
         flags = (DUO_FLAG_SYNC|DUO_FLAG_AUTO);
         prompts = 1;
-        headless = 1;
     } else if (cfg.autopush) { /* Special handling for autopush */
         duo_set_conv_funcs(duo, NULL, __autopush_status_fn, NULL);
         flags = (DUO_FLAG_SYNC|DUO_FLAG_AUTO);
@mldailey mldailey mentioned this issue Oct 14, 2021
Closed
@vbscott
Copy link
Contributor

vbscott commented Oct 27, 2021

Hi, thanks for the issue, would you be able to make this a pull request?

mldailey added a commit to mldailey/duo_unix that referenced this issue Nov 12, 2021
@mldailey
Fix non-interactive sessions when using groups option (Issue duosecur…
034fe52 
…ity#206)
@mldailey mldailey mentioned this issue Nov 12, 2021
Merged
mbish added a commit that referenced this issue Nov 16, 2021
@mbish
Merge pull request #210 from mldailey/master
cc6bccf 
Fix non-interactive sessions when using groups option (Issue #206)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix non-interactive sessions when using groups option (Issue #206) mldailey/duo_unix
2 participants
@mldailey @vbscott