iinit --ttl parameter overflow

[kuntzagk]

Accidentally I found that iinit --ttl parameter should not be higher then 336:

[user@irods_client ~]$ iinit --ttl 336
Enter your current PAM password:
[user@irods_client ~]$ ils
/myZone:
  C- /myZone/Directory
  C- /myZone/home
  C- /myZone/test
  C- /myZone/trash
[user@irods_client ~]$ iinit --ttl 337
Enter your current PAM password:
Enter your current iRODS password:
[user@irods_client ~]$ ils
[-]     /tmp/tmpkfeEjV/plugins/auth/native/libnative.cpp:342:irods::error native_auth_client_response(irods::plugin_context &, rcComm_t *) :  status [CAT_INVALID_AUTHENTICATION]  errno [] -- message [Call to rcAuthResponseFailed.]

failed with error -826000 CAT_INVALID_AUTHENTICATION

$ rpm -q irods-icommands
irods-icommands-4.2.4-1.x86_64

[alanking]

pam_password_max_time has a maximum value of 1209600 (seconds) by default. The value passed to --ttl is in hours. 336 hours * 3600 seconds/hour = 1209600 seconds. Anything above that will exceed the maximum default value.

If you can, are you able to see in the logs where authentication may have failed (e.g. "invalid ttl", "failed updating iRODS pam password")? If you change pam_password_max_time in the server_config, does the maximum value of --ttl also increase?

If so, this is working as expected. Regardless, perhaps we should have a better error message for the user to indicate that authentication failed in this case?

[trel]

Just for context:

$ iinit -h --ttl
When using regular iRODS passwords you can use --ttl (Time To Live)
to request a credential (a temporary password) that will be valid
for only the number of hours you specify (up to a limit set by the
administrator).  This is more secure, as this temporary password
(not your permanent one) will be stored in the obfuscated
credential file (.irodsA) for use by the other iCommands.

When using PAM, iinit always generates a temporary iRODS password
for use by the other iCommands, using a time-limit set by the
administrator (usually a few days).  With the --ttl option, you can
specify how long this derived password will be valid, within the
limits set by the administrator.

[alanking]

I think that this may be fixed in 4.3.1. See #7274

[korydraughn]

Please confirm, update, and close if resolved.

[alanking]

Found a test for this:

irods/scripts/irods/test/test_pam_password_authentication.py

Lines 206 to 238 in 690ffe5

	# Try a few different values here that are in the range of overall acceptable values:
	# - 2 hours allows us to go up OR down by 1 hour (boundary case).
	# - 336 hours is 1209600 seconds (or 2 weeks) which is the default maximum allowed TTL value.
	for base_ttl_in_hours in [2, 336]:
	with self.subTest(f'test with TTL of [{base_ttl_in_hours}] hours'):
	base_ttl_in_seconds = base_ttl_in_hours * 3600
	option_value = str(base_ttl_in_seconds + 10)
	self.admin.assert_icommand(
	['iadmin', 'set_grid_configuration', self.configuration_namespace, min_time_option_name, option_value])
	# Set password_max_time to a value less than the password_min_time.
	option_value = str(base_ttl_in_seconds - 10)
	self.admin.assert_icommand(
	['iadmin', 'set_grid_configuration', self.configuration_namespace, max_time_option_name, option_value])
	# Note: The min/max check does not occur when no TTL parameter is passed, for some reason.
	# We must pass TTL explicitly for each test.
	# This is lower than the minimum and higher than the maximum. The TTL is invalid.
	self.auth_session.assert_icommand(
	['iinit', '--ttl', str(base_ttl_in_hours)],
	'STDERR', 'PAM_AUTH_PASSWORD_INVALID_TTL', input=f'{self.auth_session.password}\n')
	# This is lower than the maximum but also lower than the minimum. The TTL is invalid.
	self.auth_session.assert_icommand(
	['iinit', '--ttl', str(base_ttl_in_hours - 1)],
	'STDERR', 'PAM_AUTH_PASSWORD_INVALID_TTL', input=f'{self.auth_session.password}\n')
	# This is higher than the minimum but also higher than the maximum. The TTL is invalid.
	self.auth_session.assert_icommand(
	['iinit', '--ttl', str(base_ttl_in_hours + 1)],
	'STDERR', 'PAM_AUTH_PASSWORD_INVALID_TTL', input=f'{self.auth_session.password}\n')

The test sets the password_max_time and tries to use a --ttl value that is greater than that value. An error message now comes back instead of showing the password prompt for native authentication. A similar test was implemented for native authentication.