Using SmartCard and CryptoTokenKit extension to authenticate for sudo command

Question

tkrzanic_at OP

Created Jan ’22

Replies 8

Boosts 0

Views 2.2k

Participants 2

Hi.

Working on macOS Monterey.

I have created CTK extension that is used without any issues for all needed use cases (pairing the card with user, logging in to macOS, authenticating to web portal etc.) except one.

When SmartCard is paired with a user, user is asked for a PIN when trying to run sudo command from a terminal. If the right PIN is entered, the command is executed normally. Now the issue is if user enters the wrong PIN and when asked for PIN again enters the correct PIN, then sudo command is executed but with segmentation fault. No traces of memory issues in console output of CTK extension itself.

Anyone had similar issues, or at least the idea what could be the issue in this case?

In addition, is it possible to show left number of attempts for PIN entry to the user when calling sudo command? I've done it for other use cases with filling error string of finnishWithError function and sending TKErrorCodeAuthenticationFailed error code. Then, on wrong PIN entry, macOS writes the error string in PIN entry window. But when running sudo command nothing is shown in the terminal on wrong PIN entry, just asked for PIN again.

Thanks in advance.

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’22

then sudo command is executed but with segmentation fault.

That should generate a crash report. Please post that here. See Posting a Crash Report for hints and tips on how to do that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

tkrzanic_at OP

Jan ’22

Hi.

Thank you for the response. Here is the crash report that I got from console, I hope this will suffice.

If you need any more info please let me know.

sudo-2022-01-13-142217.crash

0

Answer 3

DTS Engineer OP

Apple

Jan ’22

Hmmm, look at this backtrace:

Thread 0 Crashed::   Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib … objc_release + 30 …
1   libpam.2.dylib  … pam_end + 58 …
2   sudo            … sudo_pam_end_session + 340
3   sudo            … sudo_auth_end_session + 90
4   sudo            … sudoers_policy_close + 74
5   sudo            … policy_close + 168 …
6   sudo            … run_command + 136 …
7   sudo            … main + 10240 …
8   dyld            … start + 462 …

So, just to confirm, you only have a CTK appex right? You don’t have a PAM module as well?

Presuming that’s correct, this is definitely a bug in the OS itself. This crash is likely caused by a memory management issue within PAM, or one of the PAM modules, running within sudo. Your CTK appex isn’t running in this process, so it can’t be the immediate cause of the crash.

You should definitely file a bug about this. Please post your bug number, just for the record.

It’s possible that your CTK appex is an indirect cause of this. It may be responding to a request in a weird way, or perhaps failing a request, and that causes PAM to take a wrong turn.

I don’t have any concrete suggestions as to what that might be. Frame 1 of the backtrace is line 65 of openpam/lib/pam_end.c:

(dp->cleanup)(pamh, dp->data, status);

Note This is from the Darwin source corresponding to macOS 11.0.1 but I checked internally and the code hasn’t changed in macOS 12.

This suggests that the fault lies in the cleanup code within a specific PAM module. Unfortunately there’s no easy way to identify which module because nothing shows up in the backtrace; I suspect that one or more frames were eliminated by a tail call optimisation.

What you could do here is write a tiny test project that calls PAM in the same way that sudo calls PAM. It’s likely that this will crash as well, in which case you can debug things from there. For example, you could apply the standard memory debugging tools, and specifically zombies, which is great at finding the root cause for issues like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

tkrzanic_at OP

Mar ’22

Hi.

I use only CTK appex, nothing else is installed, at least not by me. Don't know if something else is running by default on Mac OS.

I reported this as bug long time ago (when opened a thread here), but there is no any kind of feedback or change of status yet. The Feedback Assistant bug report ID is: FB9844987

0

Answer 5

DTS Engineer OP

Apple

Mar ’22

The Feedback Assistant bug report ID is: FB9844987

Thanks for reporting this and posting your bug number. Sadly, I’ve no updates on this front )-:

I use only CTK appex

Is this a CTK appex that you developed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

tkrzanic_at OP

Mar ’22

Is this a CTK appex that you developed?

Yes.

0

Answer 7

DTS Engineer OP

Apple

Mar ’22

Yes.

Cool!

I’ve recently taken over CTK support for DTS and I’d love an excuse to dig into this issue. Given that this is a CTK appex that you’ve developed, you can reasonably open a DTS tech support incident asking if there’s a way for you to workaround FB9844987.

When you submit your TSI, please reference this DevForums thread, just for the context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 8

DTS Engineer OP

Apple

May ’22

I had cause to look at this in detail today. To summarise:

This is definitely a bug in our system. You can reproduce it with a YubiKey, which is directly supported by macOS, so no third-party software.
I understand how the bug comes about and there’s no way to work around it from the context of your CTK appex.
I’ve updated tkrzanic_at’s bug (FB9844987) with my findings and I’m hoping that translates to us shipping a fix.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0