Bug ID 536831

Bug Tracker
ID 536831

Bug ID 536831: APM PAM module does not handle local-only users list correctly

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4

Opened: Jul 30, 2015

Severity: 3-Major

Symptoms

The following log messages are shown in /var/log/secure, when remote-auth (APM based) is configured and when trying to authenticate local users: -- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin) -- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018" This failure log shows that the system first attempts to authenticate local users (like admin, root, etc.) remotely.

Impact

Local users credentials are sent to remote authentication servers which will return auth failure. However, in the second attempt, the system attempts to authenticate a user locally, and it will succeed, as expected. Check below logs: -- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin) -- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

Conditions

This occurs when following conditions are met: - APM is provisioned on a BIG-IP system. - APM-based remote-auth is configured. - Local users (like admin, root, etc.) attempt to log into the management interface of that BIG-IP system.

Workaround

None.

Fix Information

Local users are authenticated locally. The system no longer sends request to remote servers for local users.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips