Linux authentication to AD causing lockout on single failure [closed] - linux

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I am trying to set up a Linux box (specifically Centos 6) to authenticate users via our Windows AD. The authentication works fine. The problem: Our password lockout policy is 3 strikes and you're locked. If a user logging into the Linux host enters their password wrong just once, their account gets locked.
Here is my /etc/pam.d/system-auth file:
%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
# only allow login if user is in group serveradmins
account [default=bad success=ignore] pam_succeed_if.so user ingroup serveradmins quiet
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
Here are the log entries captured in /var/log/secure when a user tried to log in and gave the wrong password on the first try. For the sake of brevity, I've stripped off the datetime and hostname from the start of the log entries:
sshd[1589]: Connection from 22.33.44.55 port 49532
sshd[1589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host0001.foo.bar user=gumby
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): Authentication failure (Preauthentication failed)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
sshd[1589]: pam_winbind(sshd:auth): user 'gumby' denied access (incorrect password or invalid membership)
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: pam_krb5[1589]: authentication fails for 'gumby' (gumby#FOO.BAR): User not known to the underlying authentication module (Clients credentials have been revoked)
sshd[1589]: pam_winbind(sshd:auth): getting password (0x00000010)
sshd[1589]: pam_winbind(sshd:auth): pam_get_item returned a password
sshd[1589]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out
sshd[1589]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'gumby')
sshd[1589]: Failed password for gumby from 22.33.44.55 port 49532 ssh2
What in this configuration is causing the authentication module to try multiple times and how might we change it to make it not do that?
Thanks.

So this is an old post but might save a few people several days of troubleshooting.
Although sometimes the simplest of answers are usually the rights ones, in the case of migrations you should always check routes, firewall and DNS entries to be the same and ntp synchronized.
Short background:
Problems started when it was decided to migrate the old DC to new versions (Windows Server 2008 -> Windows server 2016).
Our Linux environment consisted of Rhel 5, 6 and 7 systems joined in AD through Samba, Winbind.
By default, Windows Server 2016 has disabled SMBv1, this means that all Rhel 5 and 6 systems were failing to communicate with the new DC's, for reference: https://access.redhat.com/articles/3164551
This can be resolved by enabling this role on the DC (and you understand the consequences of enabling a 30 year old protocol):
SMBv1
In case the pic is no longer available (action on DC): Add roles and features -> Features -> SMB 1.0/CIFS File Sharing Support -> check.
Note: you need to reboot after enabling this.
Everything was running smoothly after that change, or so it seemed.
I also stumbled upon this particular error, from the servers (Rhel 5) logs:
Oct 27 09:06:58 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): getting password (0x00000050)
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): pam_get_item returned a password
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD
Oct 27 09:07:07 dummy sshd[22520]: pam_winbind(sshd:auth): user 'some_user' denied access (incorrect password or invalid membership)
Oct 27 09:07:09 dummy sshd[22520]: Failed password for some_user from x.x.x.x port 53207 ssh2
And I also could not authenticate with my own account so I migrated to samba3x, reference( I did not do all the steps): https://access.redhat.com/solutions/42635
For those who might not have an account, these are the steps I took:
Backup original config files (you will need your smb.conf):
tar cf /root/backup_samba_migration.tar /etc/samba /var/cache/samba /var/lib/samba
Stop services:
service smb stop; service winbind stop
Remove samba and install samba3x:
yum remove samba samba-common -y
yum install samba3x* -y
This is where you put your old smb.conf:
vim /etc/samba/smb.conf
You should also copy pam_winbind.conf (we used required_membership parameter for example):
\cp /etc/security/pam_winbind.conf.rpmsave /etc/security/pam_winbind.conf
In my case I needed to rejoin the domain (you might not need to use createcomputer):
net ads join -U youradminaccount createcomputer="Linux system"
Restart services:
service smb restart; service winbind restart
Test (before this authentication would give direct failed password):
wbinfo -t
wbinfo -a youradminaccount
Hope it helps, have a good one!

To determine exactly what is going on, you should put the 'debug' flag on there.
It is also not helpfull to remove timestamps from the Log to understand a performance problem.
I think you do pam_krb5 auth first, then pam_winbind auth, then pam_krb5 account and then you are locked out.
Try to only use krb5 OR winbind for the tasks. Not both.

Related

Denyhosts on Centos7 option DENY_THRESHOLD_INVALID does not work

using centos7 and denyhosts 2.9 i noticed some strange behavior.
My config is set to:
DENY_THRESHOLD_INVALID = 3
DENY_THRESHOLD_VALID = 10
Which, in my understanding is like: after 3 failed login attempts of NON-EXISTING users from hosts X, deny that host.
After 10 failed logins attempts from EXISTING users from hosts X, deny that host.
While the latter works just fine, the DENY_THRESHOLD_INVALID = 3 setting does not work.
What i noticed is that the /var/log/secure, that danyhosts parses, does handly logns from non-existing accounts and logins from account that exist but are using the wrong pasword, are handled differently.
Aug 10 12:32:42 ftp sshd[27176]: Invalid user adminx from xxx.128.30.135 port 42800
Aug 10 12:32:42 ftp sshd[27176]: input_userauth_request: invalid user adminx [preauth]
Aug 10 12:32:42 ftp sshd[27176]: Connection closed by xxx.128.30.135 port 42800 [preauth]
vs.
Aug 10 12:33:46 ftp sshd[27238]: Failed password for exchange from xxx.128.30.135 port 42802 ssh2
Does anyone know of denyhosts has problems parsing the /var/log/secure file on centos with non-existing accounts vs. existing accounts that use wrong passwords?
Denyhosts debug log also does not say anything. It seems to ignore the login attempt from non-existend users.
any help would be appreciated. Thanks.

Linux shell command : su authentication failed [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I upgraded current OS to latest version. i am unable to do su from admin to root user.
I checked /etc/password, /etc/shadow, unix_chkpwd and su permission, everything looks ok
i dig into the /etc/pam.d/ configuration made some changes to see if any luck, but none of them worked.
Below is the error log i can see in system logs, it would be great if any one help on this issue
Note: I am able to telnet to root.
unix_chkpwd[7868]:, check pass; user unknown
unix_chkpwd[7868]:, password check failed for user (root)
su[7279]:, pam_unix(su:auth): authentication failure; logname= uid=2000 euid=2000 tty=/dev/pts/3 ruser=admin rhost= user=root
unix_chkpwd[7874]:, check pass; user unknown
unix_chkpwd[7876]:, check pass; user unknown
unix_chkpwd[7876]:, password check failed for user (root)
su[7279]:, pam_authenticate: Authentication failure
su[7279]:, PAM 1 more authentication failure; logname= uid=2000 euid=2000 tty=/dev/pts/3 ruser=admin rhost= user=root
su[7279]:, FAILED su for root by admin
su[7279]:, su session not logged to /var/log/sulog
su[7279]:, - /dev/pts/3 admin:root
in a new machine root might not have a password
try sudo su
or sudo passwd root
for more info you can see this page
https://askubuntu.com/questions/347818/what-is-the-default-root-password-when-was-never-set-at-installation-time

psycopg2.OperationalError: FATAL: password authentication failed for user "user1"

I'm getting the followign error when trying to connect to postgres database from a vm:
psycopg2.OperationalError: FATAL: password authentication failed for user "user1"
FATAL: password authentication failed for user "user1"
I've created the user
CREATE USER user1 WITH PASSWORD 'pass1';
and added the following to my pg_hba.conf file
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
host all all 0.0.0.0/0 md5
local all postgres md5
but when using pscopg2.connect() and specifying the dbname, user, password, port and host, I'm still getting the same error
for reference, when trying to connect to the server using psql on the vm I get the following error:
psql --host=localhost --port=5432 --username=user1 --dbname=postgres
Password for user user1:
psql: FATAL: password authentication failed for user "user1"
FATAL: password authentication failed for user "user1"
please let me know if more info is needed!

CentOS 7 SSH and 2FA (ESET Secure Authentication)

I am stuck at getting two factor-authentication in CentOS 7 to work; specifically the authentication via SSH and OTP.
I would very much appreciate it if someone could assist me with this. :)
Here is a log of an attempt to login via SSH with the account "ws-admin#test.local":
sshd[3652]: pam_radius_auth: Got user name ws-admin#test.local
sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set
sshd[3652]: pam_radius_auth: Sending RADIUS request code 1
sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0.
sshd[3652]: pam_radius_auth: Got RADIUS response code 11
sshd[3652]: pam_radius_auth: authentication failed
sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf
sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match
sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1
sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 user=ws-admin#test.local
sshd[3652]: Failed password for ws-admin#test.local from 10.0.0.31 port 57962 ssh2
sshd[3652]: Connection closed by 10.0.0.31 [preauth]
Below follow Configuration- and Setup-Infos
The test-environment is given by my companys infrastructure; we use mainly Windows-Clients and about the same share of Windows- and Linux-Servers.
Win-Server: Windows Server 2016 x64
Active Directory: Test.local
ESET Secure Authentication (RADIUS Server)
Shared Secret with Client: test345
Option "Use Access-Challenge feature of RADIUS" is enabled
Linux-Client/Server: CentOS 7 x64
joined Domain Test.local via realm
Local Login with AD-Accounts and OTP-2FA at all times possible
SSH Login with any Account only possible if pam_radius_auth.so not set to required in /etc/pam.d/sshd (which means no 2FA)
Configuration of the Linux-Client/Server:
RADIUS-Server and Shared-Secret are added in /etc/raddb/server
pam_radius_auth.so is in /usr/lib64/security/
auth required pam_radius_auth.so added to /etc/pam.d/sshd and /etc/pam.d/login
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
auth sufficient pam_radius_auth.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_radius_auth.so debug
auth required pam_sepermit.so debug
auth substack password-auth debug
auth include postlogin debug
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
/etc/raddb/server
# server[:port] shared_secret timeout (s)
10.0.0.1 test345 5

Gitlab 6.9.2 access denied for deploy key

I am trying to clone repository via SSH. Public key for my user is set as deploy key in a project.
I got this error message:
Access denied.
fatal: The remote end hung up unexpectedly
Here is my /var/log/secure for this attempt
Jul 16 11:09:54 gitlab sshd[32217]: Accepted publickey for git from <IP> port 55499 ssh2
Jul 16 11:09:54 gitlab sshd[32217]: pam_unix(sshd:session): session opened for user git by (uid=0)
Jul 16 11:09:54 gitlab sshd[32219]: Received disconnect from <IP>: 11: disconnected by user
Jul 16 11:09:54 gitlab sshd[32217]: pam_unix(sshd:session): session closed for user git
And here is /var/log/gitlab/gitlab-shell/gitlab-shell.log
[2014-07-16T11:09:54.407037 #32220] ERROR -- : API call <GET https://gitlab//api/v3/internal/allowed?action=git-upload-pack&ref=_any&project=group%2Fproject&forced_push=false&key_id=5> failed: 404 => <{"message":"404 Not found"}>.W,
[2014-07-16T11:09:54.407161 #32220] WARN -- : gitlab-shell: Access denied for git command <git-upload-pack 'group/project.git'> by user with key key-5.
Can you please help me to figure out what's wrong?
For many other deploy keys specified everything works just well.
Today I run into the same behavior as you describe. I found an open issue in gitlabhq(https://github.com/gitlabhq/gitlabhq/issues/6908).
The problem is that it can happen that the same public key are two times listed in /home/git/.ssh/authorized_keys. In my case I deleted the deploy key and recreate it to have a better name. In this case the key was not remove from the authorized_keys file.
After I deleted the deploy key and the corresponding lines in the authorized_keys file and recreate the deploy key in my project the access is working.

Resources