pam.d authentication fails

[yahess]

• Gitea version (or commit ref): 1.15.0+dev-206-gae6d7860b
• Git version: 2.25.1
• Operating system: Ubuntu 20.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist:

Description

Authentication via pam.d krb5 module fails with error

...dels/login_source.go:831:UserSignIn() [W] Failed to login 'USERID' via 'systemusers': e-mail invalid [email: USERID]

[lunny]

I think maybe we can enable pam tags for docker build since it's Linux.

[zeripath]

@yahess are you sure that pam is compiled into your version of Gitea? as @lunny says pam isn't included in the docker builds or builds by default.

[yahess]

Hi,

I have the following version. I build it using the install from source guide.

root@gitea:~/gitea# ./gitea --version
Gitea version 1.15.0+dev-206-gae6d7860b built with GNU Make 4.2.1, go1.16.3 : bindata, pam

[zeripath]

What were your TAGS for the build?

[yahess]

TAGS="bindata pam" make build

[zeripath]

OK, so let's jump back a bit. This error report is coming from:

gitea/models/login_source.go

Line 831 in 1e6fa57

log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

Which implies that the user in question is not in the db at present. (see L777 of that function)

The error (a models.ErrEmailInvalid) with the string content e-mail invalid [email: USERID] can only be returned by:

gitea/models/user_mail.go

Lines 30 to 43 in 1e6fa57

	// ValidateEmail check if email is a allowed address
	func ValidateEmail(email string) error {
	if len(email) == 0 {
	return nil
	}
	if _, err := mail.ParseAddress(email); err != nil {
	return ErrEmailInvalid{email}
	}
	// TODO: add an email allow/block list
	return nil
	}

and so will be coming from L888 within:

gitea/models/user.go

Lines 854 to 855 in 1e6fa57

	// CreateUser creates record of a new user.
	func CreateUser(u *User) (err error) {

(This was added by #13475 and amended slightly by #13627)

The problem is that neither of these PRs considered what happens with PAM:

gitea/models/login_source.go

Lines 682 to 715 in 1e6fa57

	// LoginViaPAM queries if login/password is valid against the PAM,
	// and create a local user if success when enabled.
	func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) {
	pamLogin, err := pam.Auth(cfg.ServiceName, login, password)
	if err != nil {
	if strings.Contains(err.Error(), "Authentication failure") {
	return nil, ErrUserNotExist{0, login, 0}
	}
	return nil, err
	}
	if user != nil {
	return user, nil
	}
	// Allow PAM sources with `@` in their name, like from Active Directory
	username := pamLogin
	idx := strings.Index(pamLogin, "@")
	if idx > -1 {
	username = pamLogin[:idx]
	}
	user = &User{
	LowerName: strings.ToLower(username),
	Name: username,
	Email: pamLogin,
	Passwd: password,
	LoginType: LoginPAM,
	LoginSource: sourceID,
	LoginName: login, // This is what the user typed in
	IsActive: true,
	}
	return user, CreateUser(user)
	}

in particular:

gitea/models/login_source.go

Line 707 in 1e6fa57

Email: pamLogin,

This makes no attempt to check that the pamLogin would be a valid email under those constraints.

---

So... The question is what to do?

I think we can leave the email blank or we could try adding the noreply suffix. An alternative is to change the pam module you're linking in to return the email address instead of the username.