[defect]: pam_radius_auth module doesn't work if ipv6 is disabled

[NorthFuture]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

version: libpam-radius-auth 2.0.0-1
os version: debian 11.2

in /etc/pam_radius_auth.conf

configure an ipv4 host

have ipv6 disabled on your system

Log output from the FreeRADIUS daemon

if ipv6 is disabled we get this error 

pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

[jpereira]

Hi @NorthFuture ,

Could you perform the tests using the latest code from https://github.com/FreeRADIUS/pam_radius ?

e.g:

# git clone https://github.com/FreeRADIUS/pam_radius
# cd pam_radius

For Debian...

# make deb && dpkg -i ../libpam-radius-auth_2.0.1_amd64.deb

Or Redhat/Centos.

# make rpm && rpm -ivh rpmbuild/RPMS/x86_64/pam*.rpm

Because the latest HEAD code is working as well as can be seen here https://github.com/FreeRADIUS/pam_radius/runs/4609191777?check_suite_focus=true#step:19:58

e.g:

...
Dec 22 16:38:38 fv-az163-227 sudo[6607]: pam_unix(sudo:session): session closed for user root
Dec 22 16:38:38 fv-az163-227 sshd[6640]: Connection from ::1 port [58](https://github.com/FreeRADIUS/pam_radius/runs/4609191777?check_suite_focus=true#step:19:58)392 on ::1 port 22 rdomain ""
Dec 22 16:38:38 fv-az163-227 sshd[6640]: pam_radius_auth: 2.0.1 DEVELOPER BUILD -  (git #4215c490), built on Dec 22 2021 at 16:38:22
...

i.e: Please, everything related to pam_radius should be reported in https://github.com/FreeRADIUS/pam_radius/issues/new

[jpereira]

@NorthFuture have you had a chance to validate? either way, it isn't an issue. just use the latest 2.0.1 from the HEAD.

[NorthFuture]

Hi,
thank you for coming back.

Still having the issue with version 2.

Mar 10 08:16:34 xxx sshd[411850]: pam_radius_auth: 2.0.1 (git #4215c490), built on Nov 2 2021 at 14:37:12
Mar 10 08:16:34 xxx sshd[411850]: pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol

However we manged surpass this problem holding back on version 1.4 with bullseye. Luckily this package had no other dependencies. Let me know if you would like to investigate.

[jpereira]

@NorthFuture please, copy and paste the content of your *.conf file.

[NorthFuture]

Do you mean pam_radius_auth.conf?

[jpereira]

@NorthFuture exactly

[NorthFuture]

the content is just one line (changed names for privacy reasons)

my_radius_server:31812 mysecret 20

where my_radius_server resolves to a private ip4 address 10.xx.yy.zz

[jpereira]

That's is the problem. If you take a look at https://github.com/FreeRADIUS/pam_radius/blob/master/pam_radius_auth.conf#L47 you will see that for ipv6 we have some special config set.

in your case. please try:

[my_radius_server]:31812 mysecret 20

Please. try that and let me know what you see. even the logs.

[NorthFuture]

I did that, and I tried to use my ipv4 ip address as well (between brackets) without luck.

the error is still
Mar 10 16:21:24 xxx sshd[626223]: pam_radius_auth: 2.0.1 (git #4215c490), built on Nov 2 2021 at 14:37:12
Mar 10 16:21:24 xxx sshd[626223]: pam_radius_auth: Failed to open RADIUS IPv6 socket: Address family not supported by protocol

Probably it's due some weird setup of our servers. I don't want to bother you with this issue that apparently we only encountered. we are fine to stay on 1.4 for now.

[jpereira]

@NorthFuture No worries, we are trying to figure out if it is a real issue or not. so, the next try is to configure like:

IPv4

127.0.0.1:1812    mysecret 20

IPv6

[1::]:1812    mysecret 20

If possible, first do the test using only the IPv4 then remove/comment and try using IPv6 (not the DNS host entry)

[alandekok]

This is telling Failed to open RADIUS IPv6 socket: Address family not supported by protocol

This means that the module is using IPv6 addresses, but the system has IPv6 networking disabled. This most often happens when you use a DNS name for the RADIUS server address, but DNS returns IPv6.

There's no way for the module to know that the OS has IPv6 disabled.

It looks like the module always opens an IPv6 socket, so I'll poke it to catch EAFNOSUPPORT, and ignore IPv6 if it's not supported.

[zenchaos]

Does this bug still exist, it doesn't look like it's been addressed?

The CISA secure config states that IPv6 is to be disabled unless it's in use. Using this module, it's impossible to disable IPv6. CIS-CAT keeps throwing an audit fail since it can't be disabled.

This issue isn't filed under libpam_radius. I would be happy to create one.

[alandekok]

I've pushed a change in FreeRADIUS/pam_radius@8d37353

You should now be able to do

auth       required     pam_radius_auth.so conf=/etc/pam_radius_auth.conf debug retry=123 client_id=666 ipv6=no