| 1 |
Hi, |
| 2 |
|
| 3 |
I'm using Gentoo and followed this guide to set RSBAC user management: |
| 4 |
http://gentoo-wiki.com/RSBAC%2C_Who_is_root_anyway%3F#Installation_and_Configuration |
| 5 |
|
| 6 |
After this I can login as root (0) and as secoff (400) but my "normal |
| 7 |
user" maintenance is not allowed to login either by ssh nor direct, but |
| 8 |
I don't understand why. And why tries sshd to use /etc/shadow ? |
| 9 |
|
| 10 |
Perhaps somebody could help me here. |
| 11 |
|
| 12 |
Some additional information following. |
| 13 |
|
| 14 |
Thanks a lot, |
| 15 |
Michael Decker |
| 16 |
|
| 17 |
---- |
| 18 |
|
| 19 |
Setting passwords: |
| 20 |
--- SNIP -- |
| 21 |
# rsbac_passwd -n 0 |
| 22 |
# rsbac_passwd -n 400 |
| 23 |
# rsbac_passwd -n 1000 |
| 24 |
--- SNAP --- |
| 25 |
|
| 26 |
/var/log/auth.log: |
| 27 |
--- SNIP -- |
| 28 |
Jul 20 19:33:28 gentoo-04 login[6414]: FAILED LOGIN 2 FROM /dev/tty1 FOR |
| 29 |
root, Authentication failure |
| 30 |
Jul 20 19:33:59 gentoo-04 sshd[7820]: fatal: Timeout before |
| 31 |
authentication for 192.168.31.1 |
| 32 |
Jul 20 19:34:26 gentoo-04 login[7827]: (pam_rsbac) session opened for |
| 33 |
user root by LOGIN(uid=0) |
| 34 |
Jul 20 19:34:30 gentoo-04 login[7827]: (pam_rsbac) session closed for |
| 35 |
user root |
| 36 |
Jul 20 19:35:07 gentoo-04 sshd[7833]: error: Could not get shadow |
| 37 |
information for maintenance |
| 38 |
Jul 20 19:35:08 gentoo-04 sshd[7833]: Failed password for maintenance |
| 39 |
from 192.168.31.1 port 3683 ssh2 |
| 40 |
Jul 20 19:35:10 gentoo-04 sshd[7833]: Failed password for maintenance |
| 41 |
from 192.168.31.1 port 3683 ssh2 |
| 42 |
Jul 20 19:36:41 gentoo-04 login[7832]: (pam_rsbac) could not |
| 43 |
authenticate user maintenance |
| 44 |
Jul 20 19:36:41 gentoo-04 login[7832]: FAILED LOGIN 1 FROM /dev/tty1 FOR |
| 45 |
maintenance, Authentication failure |
| 46 |
Jul 20 19:37:04 gentoo-04 sshd[7833]: fatal: Timeout before |
| 47 |
authentication for 192.168.31.1 |
| 48 |
Jul 20 19:37:21 gentoo-04 login[7832]: (pam_rsbac) could not |
| 49 |
authenticate user maintenance |
| 50 |
Jul 20 19:37:21 gentoo-04 login[7832]: FAILED LOGIN 2 FROM /dev/tty1 FOR |
| 51 |
maintenance, Authentication failure |
| 52 |
Jul 20 19:40:03 gentoo-04 login[7840]: (pam_rsbac) session opened for |
| 53 |
user secoff by LOGIN(uid=0) |
| 54 |
Jul 20 19:40:15 gentoo-04 login[7840]: (pam_rsbac) session closed for |
| 55 |
user secoff |
| 56 |
Jul 20 19:40:58 gentoo-04 sshd[7882]: error: Could not get shadow |
| 57 |
information for maintenance |
| 58 |
Jul 20 19:40:58 gentoo-04 sshd[7882]: Failed password for maintenance |
| 59 |
from 192.168.31.1 port 3710 ssh2 |
| 60 |
Jul 20 19:41:03 gentoo-04 sshd[7882]: Failed password for maintenance |
| 61 |
from 192.168.31.1 port 3710 ssh2 |
| 62 |
Jul 20 19:42:57 gentoo-04 sshd[7882]: fatal: Timeout before |
| 63 |
authentication for 192.168.31.1 |
| 64 |
--- SNAP --- |
| 65 |
|
| 66 |
/etc/pam.d/sshd: |
| 67 |
--- SNIP --- |
| 68 |
auth include system-auth |
| 69 |
auth required pam_shells.so |
| 70 |
auth required pam_nologin.so |
| 71 |
account include system-auth |
| 72 |
password include system-auth |
| 73 |
session include system-auth |
| 74 |
--- SNAP --- |
| 75 |
|
| 76 |
# cat /proc/rsbac-info/active: |
| 77 |
--- SNIP --- |
| 78 |
Version: 1.2.5 |
| 79 |
Mode: SOFTMODE |
| 80 |
Softmode: available |
| 81 |
Ind-Soft: available |
| 82 |
Switching: unavailable |
| 83 |
Module: REG on |
| 84 |
Module: DAZ on |
| 85 |
Module: RC on |
| 86 |
Module: AUTH on |
| 87 |
Module: PAX on |
| 88 |
--- SNAP --- |
| 89 |
|
| 90 |
Current kernel options: |
| 91 |
--- SNIP --- |
| 92 |
kernel /boot/linux-2.6.14-rsbac-r1-proto-pax-rsbac-auth-rc-dac-pax-try3 |
| 93 |
root=/dev/hda3 rootflags=data=journal rsbac_softmode console=ttyS0,57600 |
| 94 |
console=tty0 |
| 95 |
--- SNAP --- |
| 96 |
|
| 97 |
# emerge --info: |
| 98 |
--- SNIP --- |
| 99 |
>>> >>> cfg-update-1.8.0-r3 : No new packages have been emerged, checksum |
| 100 |
index OK... |
| 101 |
Portage 2.1.1_pre2-r4 (hardened/x86/2.6, gcc-3.4.6/hardened, |
| 102 |
glibc-2.3.6-r4, 2.6.14-rsbac-r1-rsbac i686) |
| 103 |
================================================================= |
| 104 |
System uname: 2.6.14-rsbac-r1-rsbac i686 Intel(R) Pentium(R) D CPU 3.00GHz |
| 105 |
Gentoo Base System version 1.6.13 |
| 106 |
dev-lang/python: 2.4.3-r1 |
| 107 |
dev-python/pycrypto: 2.0.1-r5 |
| 108 |
dev-util/ccache: [Not Present] |
| 109 |
dev-util/confcache: [Not Present] |
| 110 |
sys-apps/sandbox: 1.2.18.1 |
| 111 |
sys-devel/autoconf: 2.13, 2.60 |
| 112 |
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 |
| 113 |
sys-devel/binutils: 2.17 |
| 114 |
sys-devel/gcc-config: 2.0.0_rc1 |
| 115 |
sys-devel/libtool: 1.5.22 |
| 116 |
virtual/os-headers: 2.6.11-r5 |
| 117 |
ACCEPT_KEYWORDS="x86 ~x86" |
| 118 |
AUTOCLEAN="yes" |
| 119 |
CBUILD="i386-pc-linux-gnu" |
| 120 |
CFLAGS="-O2 -march=pentium4" |
| 121 |
CHOST="i386-pc-linux-gnu" |
| 122 |
CONFIG_PROTECT="/etc" |
| 123 |
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler |
| 124 |
/etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" |
| 125 |
CXXFLAGS="-O2 -march=pentium4" |
| 126 |
DISTDIR="/usr/portage/distfiles" |
| 127 |
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" |
| 128 |
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo |
| 129 |
http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ |
| 130 |
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ |
| 131 |
http://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.intergenia.de |
| 132 |
http://files.gentoo.org http://ftp.ntua.gr/pub/linux/gentoo/ |
| 133 |
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ " |
| 134 |
MAKEOPTS="-j3" |
| 135 |
PKGDIR="/usr/portage//packages/x86/" |
| 136 |
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times |
| 137 |
--compress --force --whole-file --delete --delete-after --stats |
| 138 |
--timeout=180 --exclude='/distfiles' --exclude='/local' |
| 139 |
--exclude='/packages'" |
| 140 |
PORTAGE_TMPDIR="/var/tmp" |
| 141 |
PORTDIR="/usr/portage/" |
| 142 |
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
| 143 |
USE="apache2 berkdb bzip2 clamav crypt dlloader doc hardened java ldap |
| 144 |
mysql nls pam pic readline ssl tcpd threads userlocales x86 xml xorg |
| 145 |
zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux |
| 146 |
userland_GNU" |
| 147 |
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, |
| 148 |
LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY |
| 149 |
--- SNAP --- |
| 150 |
|
| 151 |
-- Michael Decker Michael.Decker@×××××.de TESIS SYSware GmbH |
| 152 |
http://www.tesis.de Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 |
| 153 |
747377-0 _______________________________________________ rsbac mailing |
| 154 |
list rsbac@×××××.org http://www.rsbac.org/mailman/listinfo/rsbac |
| 155 |
|
| 156 |
-- |
| 157 |
gentoo-hardened@g.o mailing list |
Archives