CentOS 7 SSH and 2FA (ESET Secure Authentication) - linux

I am stuck at getting two factor-authentication in CentOS 7 to work; specifically the authentication via SSH and OTP.
I would very much appreciate it if someone could assist me with this. :)
Here is a log of an attempt to login via SSH with the account "ws-admin#test.local":
sshd[3652]: pam_radius_auth: Got user name ws-admin#test.local
sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set
sshd[3652]: pam_radius_auth: Sending RADIUS request code 1
sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0.
sshd[3652]: pam_radius_auth: Got RADIUS response code 11
sshd[3652]: pam_radius_auth: authentication failed
sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf
sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match
sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1
sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 user=ws-admin#test.local
sshd[3652]: Failed password for ws-admin#test.local from 10.0.0.31 port 57962 ssh2
sshd[3652]: Connection closed by 10.0.0.31 [preauth]
Below follow Configuration- and Setup-Infos
The test-environment is given by my companys infrastructure; we use mainly Windows-Clients and about the same share of Windows- and Linux-Servers.
Win-Server: Windows Server 2016 x64
Active Directory: Test.local
ESET Secure Authentication (RADIUS Server)
Shared Secret with Client: test345
Option "Use Access-Challenge feature of RADIUS" is enabled
Linux-Client/Server: CentOS 7 x64
joined Domain Test.local via realm
Local Login with AD-Accounts and OTP-2FA at all times possible
SSH Login with any Account only possible if pam_radius_auth.so not set to required in /etc/pam.d/sshd (which means no 2FA)
Configuration of the Linux-Client/Server:
RADIUS-Server and Shared-Secret are added in /etc/raddb/server
pam_radius_auth.so is in /usr/lib64/security/
auth required pam_radius_auth.so added to /etc/pam.d/sshd and /etc/pam.d/login
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
auth sufficient pam_radius_auth.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_radius_auth.so debug
auth required pam_sepermit.so debug
auth substack password-auth debug
auth include postlogin debug
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
/etc/raddb/server
# server[:port] shared_secret timeout (s)
10.0.0.1 test345 5

Related

Denyhosts on Centos7 option DENY_THRESHOLD_INVALID does not work

using centos7 and denyhosts 2.9 i noticed some strange behavior.
My config is set to:
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 10
Which, in my understanding is like: after 3 failed login attempts of NON-EXISTING users from hosts X, deny that host.
After 10 failed logins attempts from EXISTING users from hosts X, deny that host.
While the latter works just fine, the DENY_THRESHOLD_INVALID = 3 setting does not work.
What i noticed is that the /var/log/secure, that danyhosts parses, does handly logns from non-existing accounts and logins from account that exist but are using the wrong pasword, are handled differently.
Aug 10 12:32:42 ftp sshd[27176]: Invalid user adminx from xxx.128.30.135 port 42800
Aug 10 12:32:42 ftp sshd[27176]: input_userauth_request: invalid user adminx [preauth]
Aug 10 12:32:42 ftp sshd[27176]: Connection closed by xxx.128.30.135 port 42800 [preauth]
vs.
Aug 10 12:33:46 ftp sshd[27238]: Failed password for exchange from xxx.128.30.135 port 42802 ssh2
Does anyone know of denyhosts has problems parsing the /var/log/secure file on centos with non-existing accounts vs. existing accounts that use wrong passwords?
Denyhosts debug log also does not say anything. It seems to ignore the login attempt from non-existend users.
any help would be appreciated. Thanks.

psycopg2.OperationalError: FATAL: password authentication failed for user "user1"

I'm getting the followign error when trying to connect to postgres database from a vm:
psycopg2.OperationalError: FATAL: password authentication failed for user "user1"
FATAL: password authentication failed for user "user1"
I've created the user
CREATE USER user1 WITH PASSWORD 'pass1';
and added the following to my pg_hba.conf file
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
host all all 0.0.0.0/0 md5
local all postgres md5
but when using pscopg2.connect() and specifying the dbname, user, password, port and host, I'm still getting the same error
for reference, when trying to connect to the server using psql on the vm I get the following error:
psql --host=localhost --port=5432 --username=user1 --dbname=postgres
Password for user user1:
psql: FATAL: password authentication failed for user "user1"
FATAL: password authentication failed for user "user1"
please let me know if more info is needed!

Influxdb not asking for authentication

I Have installed influxdb on a linux distro running on a raspberrypi...
pi#raspberrypi:~ $ influx -version
InfluxDB shell version: 1.1.1
Then i create a DB, followed by an Admin user with
CREATE USER admin WITH PASSWORD 'password' WITH ALL PRIVILEGES
After this i edit the influx.conf file located at:
/etc/influxdb/influxdb.conf
As i want the influxdb to ask for user auth when it is accessed (http external or internal and console?is it possible console?) i browse and look for the [[http]] block on the file.... this is what i have.
###
### [http]
###
### Controls how the HTTP endpoints are configured. These are the primary
### mechanism for getting data into and out of InfluxDB.
###
# [http]
# Determines whether HTTP endpoint is enabled.
enabled = true
# The bind address used by the HTTP service.
# bind-address = ":8086"
# Determines whether HTTP authentication is enabled.
auth-enabled = true
# The default realm sent back when issuing a basic auth challenge.
# realm = "InfluxDB"
# Determines whether HTTP request logging is enable.d
# log-enabled = true
# Determines whether detailed write logging is enabled.
# write-tracing = false
# Determines whether the pprof endpoint is enabled. This endpoint is used for
# troubleshooting and monitoring.
pprof-enabled = true
# Determines whether HTTPS is enabled.
https-enabled = false
# The SSL certificate to use when HTTPS is enabled.
https-certificate = "/etc/ssl/influxdb.pem"
# Use a separate private key location.
https-private-key = ""
# The JWT auth shared secret to validate requests using JSON web tokens.
shared-sercret = ""
# The default chunk size for result sets that should be chunked.
# max-row-limit = 10000
# The maximum number of HTTP connections that may be open at once. New connections that
# would exceed this limit are dropped. Setting this value to 0 disables the limit.
# max-connection-limit = 0
# Enable http service over unix domain socket
# unix-socket-enabled = false
# The path of the unix domain socket.
# bind-socket = "/var/run/influxdb.sock"
Changing the 1st and 3rd sub-group entries.
Finnaly i restart the influxdb service with:
sudo service influxdb restart
Problems
1 - Creating a database from another computer on the network (without login tokens) is successful (and it shouldn't):
http://192.168.7.125:8086/query?q=CREATE DATABASE test
returns:
{
"results": [
{}
]
}
calling influxdb on raspberry cmdline does not ask for auth:
pi#raspberrypi:~ $ influx
Visit https://enterprise.influxdata.com to register for updates, InfluxDB server management, and monitoring.
Connected to http://localhost:8086 version 1.1.1
InfluxDB shell version: 1.1.1
>
Does anyone know what am i doing wrong?
EDIT
Furthermore, checking the /var/log/syslog i can see that:
1- It is loading the file from the currect directory
[run] 2017/01/17 11:27:36 InfluxDB starting, version 1.1.1, branch master, commit e47c
f1f2e83a02443d7115c54f838be8ee959644
Jan 17 11:27:36 raspberrypi influxd[901]: [run] 2017/01/17 11:27:36 Go version go1.7.4, GOMAXPROCS set to 4
Jan 17 11:27:36 raspberrypi influxd[901]: [run] 2017/01/17 11:27:36 Using configuration at: /etc/influxdb/influxdb.conf
Jan 17 11:27:36 raspberrypi influxd[901]: [store] 2017/01/17 11:27:36 Using data dir: /var/lib/influxdb/data
2- It fails in starting with authentication (auth is deactivated)
Jan 17 11:27:37 raspberrypi influxd[901]: [httpd] 2017/01/17 11:27:37 Starting HTTP service
Jan 17 11:27:37 raspberrypi influxd[901]: [httpd] 2017/01/17 11:27:37 Authentication enabled: false
Jan 17 11:27:37 raspberrypi influxd[901]: [httpd] 2017/01/17 11:27:37 Listening on HTTP: [::]:8086
The culprit is on the [http] here:
###
### [http]
###
### Controls how the HTTP endpoints are configured. These are the primary
### mechanism for getting data into and out of InfluxDB.
###
[http]
# Determines whether HTTP endpoint is enabled.
enabled = true
# The bind address used by the HTTP service.
# bind-address = ":8086"
# Determines whether HTTP authentication is enabled.
auth-enabled = true

Bro 2.4.1 generating E-mail notice for SSH Bruteforce Attack

I'm having trouble generating an email notice when someone is trying to do an ssh bruteforce attack on my server with Bro (v2.4.1). I have a Bro script like this which redefines the max login attemps to 5 per 24 hours:
#load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=5;
redef SSH::guessing_timeout=1440 mins;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /192\.168\.178\.16/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}
where 192.168.178.16 is the local ip of my server and I've made sure the script gets loaded by including it in $PREFIX/site/local.bro. The output of broctl scripts shows that the script is loaded just fine on startup. However, I never receive any email notice of ssh bruteforcing attacks.
Connection summaries, dropped packets and invalid ssl certificate notices are emailed just fine, so it's not an email configuration issue. When I check the ssh log output like so:
sudo cat /opt/bro/logs/current/ssh.log | bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success direction client server cipher_alg
The 6 failed login attemps (that I generated for testing this) are logged just fine in /opt/bro/logs/current/ssh.log:
2016-11-11T14:45:08+0100 CRoENl2L4n5RIkMd0l 84.241.*.* 43415 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:13+0100 CMflWI2ESA7KVZ3Cmk 84.241.*.* 43416 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:17+0100 CZuyQO2NxvmpsmsWwg 84.241.*.* 43417 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:20+0100 CC86Fi3IGZIFCoot2l 84.241.*.* 43418 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:25+0100 CHqcJ93qRhONQC1bm4 84.241.*.* 43419 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
2016-11-11T14:45:28+0100 CdV0xh1rI4heYaFDH2 84.241.*.* 43420 192.168.178.16 22 2 - INBOUND SSH-2.0-JuiceSSH SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 aes128-ctr
However I never get any email notice of this happening. The only reason I can think of is I have password login over ssh disabled, so maybe the login attemps without a private key are not firing the ssh_failed_login events in Bro? The auth_success column in above table shows a "-" for the failed login attemps whereas a succesfull login shows a "T", so maybe that should be a "F" in order for the event to fire?
Any help or suggestions is greatly appreciated!
Due to SSH being encrypted, we've had to resort to heuristics for detection of successful and unsuccessful authentications. Those heuristics have improved through time but are still far from perfect. If the "auth_success" column is unset like it is in the examples you provided it means that Bro was unable to make the guess if the login was successful or not.
The reason that the bruteforce detection script isn't working is because it's never detecting an unsuccessful login. Your suspicion at the end of your question is correct.

Linux authentication to AD causing lockout on single failure [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I am trying to set up a Linux box (specifically Centos 6) to authenticate users via our Windows AD. The authentication works fine. The problem: Our password lockout policy is 3 strikes and you're locked. If a user logging into the Linux host enters their password wrong just once, their account gets locked.
Here is my /etc/pam.d/system-auth file:
%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
# only allow login if user is in group serveradmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup serveradmins quiet
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
Here are the log entries captured in /var/log/secure when a user tried to log in and gave the wrong password on the first try. For the sake of brevity, I've stripped off the datetime and hostname from the start of the log entries:
sshd[1589]: Connection from 22.33.44.55 port 49532
sshd[1589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host0001.foo.bar user=gumby
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
What in this configuration is causing the authentication module to try multiple times and how might we change it to make it not do that?
Thanks.
So this is an old post but might save a few people several days of troubleshooting.
Although sometimes the simplest of answers are usually the rights ones, in the case of migrations you should always check routes, firewall and DNS entries to be the same and ntp synchronized.
Short background:
Problems started when it was decided to migrate the old DC to new versions (Windows Server 2008 -> Windows server 2016).
Our Linux environment consisted of Rhel 5, 6 and 7 systems joined in AD through Samba, Winbind.
By default, Windows Server 2016 has disabled SMBv1, this means that all Rhel 5 and 6 systems were failing to communicate with the new DC's, for reference: https://access.redhat.com/articles/3164551
This can be resolved by enabling this role on the DC (and you understand the consequences of enabling a 30 year old protocol):
SMBv1
In case the pic is no longer available (action on DC): Add roles and features -> Features -> SMB 1.0/CIFS File Sharing Support -> check.
Note: you need to reboot after enabling this.
Everything was running smoothly after that change, or so it seemed.
I also stumbled upon this particular error, from the servers (Rhel 5) logs:
Oct 27 09:06:58 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): getting password (0x00000050)
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): user 'some_user' denied access (incorrect password or invalid membership)
Oct 27 09:07:09 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
And I also could not authenticate with my own account so I migrated to samba3x, reference( I did not do all the steps): https://access.redhat.com/solutions/42635
For those who might not have an account, these are the steps I took:
Backup original config files (you will need your smb.conf):
tar cf /root/backup_samba_migration.tar /etc/samba /var/cache/samba /var/lib/samba
Stop services:
service smb stop; service winbind stop
Remove samba and install samba3x:
yum remove samba samba-common -y
yum install samba3x* -y
This is where you put your old smb.conf:
vim /etc/samba/smb.conf
You should also copy pam_winbind.conf (we used required_membership parameter for example):
\cp /etc/security/pam_winbind.conf.rpmsave /etc/security/pam_winbind.conf
In my case I needed to rejoin the domain (you might not need to use createcomputer):
net ads join -U youradminaccount createcomputer="Linux system"
Restart services:
service smb restart; service winbind restart
Test (before this authentication would give direct failed password):
wbinfo -t
wbinfo -a youradminaccount
Hope it helps, have a good one!
To determine exactly what is going on, you should put the 'debug' flag on there.
It is also not helpfull to remove timestamps from the Log to understand a performance problem.
I think you do pam_krb5 auth first, then pam_winbind auth, then pam_krb5 account and then you are locked out.
Try to only use krb5 OR winbind for the tasks. Not both.

Resources