Comment 1 Peter Åstrand 2013-04-15 15:51:53 CEST

Fixed in:
r27076
r27077
r27078

Time reporting on bug 4132. The tester should check:

* Authentication with normal passwords, as well as extra prompts ie OTP
* Cleanup of stale "pamtester" processes and FIFOs in /tmp
* Bonus: Authentication with passwordless username
* Security aspects
* Error handling

Comment 2 Henrik Andersson 2013-05-02 15:48:57 CEST

(In reply to comment #1)
> * Authentication with normal passwords, as well as extra prompts ie OTP

Work as expected, tested using pam_prompt.so.

> * Bonus: Authentication with passwordless username

Works in a strange way, empty password from login form is passed as
response to OTP prompt, however the thinlinc client works this way too.

Comment 3 Henrik Andersson 2013-05-03 10:48:19 CEST

> * Error handling

I configured pam_radius module for sshd which pointed out a non existing radius server, pamtester auth failures log auth failures into the html page but no trace in /var/log/tlwebaccess.log

Comment 4 Henrik Andersson 2013-05-03 10:59:14 CEST

While using pam_prompt and at login form when prompt for second input I stopped pamtester 'kill -STOP <pid>'. Then i continued with the login form filling in a prompt and continue, the form hangs forever (>60 secs).

Maybe we should have a timeout for IPC tlwebaccess <-> pamtester

Comment 5 Henrik Andersson 2013-05-03 11:15:06 CEST

> * Cleanup of stale "pamtester" processes and FIFOs in /tmp

After the stop of pamtester process in comment #4 it took some time for cleanup but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess process which wants to communicate with pamtester seems to never die.

Comment 6 Peter Åstrand 2013-05-03 11:33:46 CEST

(In reply to comment #3)
> > * Error handling
> 
> I configured pam_radius module for sshd which pointed out a non existing radius
> server, pamtester auth failures log auth failures into the html page but no
> trace in /var/log/tlwebaccess.log

Moved to bug https://www.cendio.com/bugzilla/show_bug.cgi?id=4632.

Comment 7 Peter Åstrand 2013-05-03 12:03:14 CEST

(In reply to comment #5)
> > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> 
> After the stop of pamtester process in comment #4 it took some time for cleanup
> but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> process which wants to communicate with pamtester seems to never die.

This and comment #4 should be fixed in 27303.

Comment 8 Henrik Andersson 2013-05-06 09:21:33 CEST

(In reply to comment #7)
> (In reply to comment #5)
> > > * Cleanup of stale "pamtester" processes and FIFOs in /tmp
> > 
> > After the stop of pamtester process in comment #4 it took some time for cleanup
> > but /tmp was cleaned up from .err/.in/.out fifos, however the tlwebaccess
> > process which wants to communicate with pamtester seems to never die.
> 
> This and comment #4 should be fixed in 27303.

Using build 3937, Verified that there is a 120 seconds timeout for IPC communications tlwebaccess <-> pamtester.

Upon timeout, the rendered html page shows an error message.

Comment 9 Henrik Andersson 2013-05-06 10:37:16 CEST

Also tested to login steps until the OTP prompt, were i went back to main login form (a few times), leaving a few tlwebaccess+pamtester alive but not used. 

Those left overs where successfully removed after a timeout.

After these tests and fixes it seems to work fine. Closing this bug as fixed.