Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2nd request to RADIUS on missing user specific policies #4938

Closed
kbl opened this issue Jul 17, 2018 · 2 comments
Closed

2nd request to RADIUS on missing user specific policies #4938

kbl opened this issue Jul 17, 2018 · 2 comments

Comments

@kbl
Copy link

kbl commented Jul 17, 2018
edited
Loading

When GCP is used as storage backend and RADIUS is used as auth method request to authenticate against RADIUS is being sent twice for users without explicitly configured policies.

To Reproduce
Steps to reproduce the behavior:

  1. Intialize Vault with GCP storage backend,
  2. Enable RADIUS auth method under auth/radius path,
  3. Run vault login -method=userpass -path=radius username=xxx (xxx shouldn't have any policies assigned, should only use those configured with unregistered_user_policies

In such case, after successfull authentication context is cancelled due to:

"error":"failed to read value for \"auth/<hash>/user/mpietraszek\": Get https://storage.googleapis.com/magic-bucket/auth/<hash>/user/mpietraszek: context canceled"

After that cancellation another request to RADIUS is being made. The latter fails as OTP was already used.

Below is a tcpdump showing requests being made during authentication process:

# tcpdump -n dst host radiu or src host radiu
09:59:42.042366 IP vault.54122 > radiu.1812: RADIUS, Access-Request (1), id: 0x43 length: 105
09:59:43.307065 IP radiu.1812 > vault.54122: RADIUS, Access-Accept (2), id: 0x43 length: 44
09:59:44.656698 IP vault.43448 > radiu.1812: RADIUS, Access-Request (1), id: 0xb2 length: 105
09:59:46.443127 IP radiu.1812 > vault.43448: RADIUS, Access-Reject (3), id: 0xb2 length: 50

Expected behavior
GCP storage backend should allow login by unregistered users.

Environment:
I've reproduced the bug with following servers/clients:

  • Vault v0.10.3 ('c69ae68faf2bf7fc1d78e3ec62655696a07454c7')
  • Vault v0.10.2 ('3ee0802ed08cb7f4046c2151ec4671a076b76166')
  • Server Operating System/Architecture:
Linux vault 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
  • Vault server configuration file(s):
{
  "api_addr": "https://vault:8200",
  "storage": {
    "gcs": {
      "bucket": "magic-bucket",
      "ha_enabled": "true"
    }
  },
  "listener": {
    "tcp": {
      "address": "0.0.0.0:8200",
      "cluster_address": "0.0.0.0:8201",
      "tls_cert_file": "/etc/vault/vault.crt",
      "tls_key_file": "/etc/vault/vault.key"
    }
  },
  "disable_mlock": false
}
jefferai added a commit that referenced this issue Jul 17, 2018
@jefferai
Fix context shadowing during radius login
31a725a 
Fixes #4938
@jefferai jefferai mentioned this issue Jul 17, 2018
Merged
briankassouf pushed a commit that referenced this issue Jul 17, 2018
@jefferai @briankassouf
Fix context shadowing during radius login (#4941)
22658a7 
Fixes #4938
@kbl
Copy link
Author

kbl commented Jul 17, 2018

Wow, that was quick! I've planned to dive into the code to fix that and certainly expected something more than 4-lines diff ;). Thanks!

@jefferai
Copy link
Member

@kbl Validating the fix in your environment is always a nice way to help :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @kbl