1 |
Hi, |
2 |
|
3 |
I'm using Gentoo and followed this guide to set RSBAC user management: |
4 |
http://gentoo-wiki.com/RSBAC%2C_Who_is_root_anyway%3F#Installation_and_Configuration |
5 |
|
6 |
After this I can login as root (0) and as secoff (400) but my "normal |
7 |
user" maintenance is not allowed to login either by ssh nor direct, but |
8 |
I don't understand why. And why tries sshd to use /etc/shadow ? |
9 |
|
10 |
Perhaps somebody could help me here. |
11 |
|
12 |
Some additional information following. |
13 |
|
14 |
Thanks a lot, |
15 |
Michael Decker |
16 |
|
17 |
---- |
18 |
|
19 |
Setting passwords: |
20 |
--- SNIP -- |
21 |
# rsbac_passwd -n 0 |
22 |
# rsbac_passwd -n 400 |
23 |
# rsbac_passwd -n 1000 |
24 |
--- SNAP --- |
25 |
|
26 |
/var/log/auth.log: |
27 |
--- SNIP -- |
28 |
Jul 20 19:33:28 gentoo-04 login[6414]: FAILED LOGIN 2 FROM /dev/tty1 FOR |
29 |
root, Authentication failure |
30 |
Jul 20 19:33:59 gentoo-04 sshd[7820]: fatal: Timeout before |
31 |
authentication for 192.168.31.1 |
32 |
Jul 20 19:34:26 gentoo-04 login[7827]: (pam_rsbac) session opened for |
33 |
user root by LOGIN(uid=0) |
34 |
Jul 20 19:34:30 gentoo-04 login[7827]: (pam_rsbac) session closed for |
35 |
user root |
36 |
Jul 20 19:35:07 gentoo-04 sshd[7833]: error: Could not get shadow |
37 |
information for maintenance |
38 |
Jul 20 19:35:08 gentoo-04 sshd[7833]: Failed password for maintenance |
39 |
from 192.168.31.1 port 3683 ssh2 |
40 |
Jul 20 19:35:10 gentoo-04 sshd[7833]: Failed password for maintenance |
41 |
from 192.168.31.1 port 3683 ssh2 |
42 |
Jul 20 19:36:41 gentoo-04 login[7832]: (pam_rsbac) could not |
43 |
authenticate user maintenance |
44 |
Jul 20 19:36:41 gentoo-04 login[7832]: FAILED LOGIN 1 FROM /dev/tty1 FOR |
45 |
maintenance, Authentication failure |
46 |
Jul 20 19:37:04 gentoo-04 sshd[7833]: fatal: Timeout before |
47 |
authentication for 192.168.31.1 |
48 |
Jul 20 19:37:21 gentoo-04 login[7832]: (pam_rsbac) could not |
49 |
authenticate user maintenance |
50 |
Jul 20 19:37:21 gentoo-04 login[7832]: FAILED LOGIN 2 FROM /dev/tty1 FOR |
51 |
maintenance, Authentication failure |
52 |
Jul 20 19:40:03 gentoo-04 login[7840]: (pam_rsbac) session opened for |
53 |
user secoff by LOGIN(uid=0) |
54 |
Jul 20 19:40:15 gentoo-04 login[7840]: (pam_rsbac) session closed for |
55 |
user secoff |
56 |
Jul 20 19:40:58 gentoo-04 sshd[7882]: error: Could not get shadow |
57 |
information for maintenance |
58 |
Jul 20 19:40:58 gentoo-04 sshd[7882]: Failed password for maintenance |
59 |
from 192.168.31.1 port 3710 ssh2 |
60 |
Jul 20 19:41:03 gentoo-04 sshd[7882]: Failed password for maintenance |
61 |
from 192.168.31.1 port 3710 ssh2 |
62 |
Jul 20 19:42:57 gentoo-04 sshd[7882]: fatal: Timeout before |
63 |
authentication for 192.168.31.1 |
64 |
--- SNAP --- |
65 |
|
66 |
/etc/pam.d/sshd: |
67 |
--- SNIP --- |
68 |
auth include system-auth |
69 |
auth required pam_shells.so |
70 |
auth required pam_nologin.so |
71 |
account include system-auth |
72 |
password include system-auth |
73 |
session include system-auth |
74 |
--- SNAP --- |
75 |
|
76 |
# cat /proc/rsbac-info/active: |
77 |
--- SNIP --- |
78 |
Version: 1.2.5 |
79 |
Mode: SOFTMODE |
80 |
Softmode: available |
81 |
Ind-Soft: available |
82 |
Switching: unavailable |
83 |
Module: REG on |
84 |
Module: DAZ on |
85 |
Module: RC on |
86 |
Module: AUTH on |
87 |
Module: PAX on |
88 |
--- SNAP --- |
89 |
|
90 |
Current kernel options: |
91 |
--- SNIP --- |
92 |
kernel /boot/linux-2.6.14-rsbac-r1-proto-pax-rsbac-auth-rc-dac-pax-try3 |
93 |
root=/dev/hda3 rootflags=data=journal rsbac_softmode console=ttyS0,57600 |
94 |
console=tty0 |
95 |
--- SNAP --- |
96 |
|
97 |
# emerge --info: |
98 |
--- SNIP --- |
99 |
>>> >>> cfg-update-1.8.0-r3 : No new packages have been emerged, checksum |
100 |
index OK... |
101 |
Portage 2.1.1_pre2-r4 (hardened/x86/2.6, gcc-3.4.6/hardened, |
102 |
glibc-2.3.6-r4, 2.6.14-rsbac-r1-rsbac i686) |
103 |
================================================================= |
104 |
System uname: 2.6.14-rsbac-r1-rsbac i686 Intel(R) Pentium(R) D CPU 3.00GHz |
105 |
Gentoo Base System version 1.6.13 |
106 |
dev-lang/python: 2.4.3-r1 |
107 |
dev-python/pycrypto: 2.0.1-r5 |
108 |
dev-util/ccache: [Not Present] |
109 |
dev-util/confcache: [Not Present] |
110 |
sys-apps/sandbox: 1.2.18.1 |
111 |
sys-devel/autoconf: 2.13, 2.60 |
112 |
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 |
113 |
sys-devel/binutils: 2.17 |
114 |
sys-devel/gcc-config: 2.0.0_rc1 |
115 |
sys-devel/libtool: 1.5.22 |
116 |
virtual/os-headers: 2.6.11-r5 |
117 |
ACCEPT_KEYWORDS="x86 ~x86" |
118 |
AUTOCLEAN="yes" |
119 |
CBUILD="i386-pc-linux-gnu" |
120 |
CFLAGS="-O2 -march=pentium4" |
121 |
CHOST="i386-pc-linux-gnu" |
122 |
CONFIG_PROTECT="/etc" |
123 |
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler |
124 |
/etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" |
125 |
CXXFLAGS="-O2 -march=pentium4" |
126 |
DISTDIR="/usr/portage/distfiles" |
127 |
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" |
128 |
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo |
129 |
http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ |
130 |
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ |
131 |
http://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.intergenia.de |
132 |
http://files.gentoo.org http://ftp.ntua.gr/pub/linux/gentoo/ |
133 |
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ " |
134 |
MAKEOPTS="-j3" |
135 |
PKGDIR="/usr/portage//packages/x86/" |
136 |
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times |
137 |
--compress --force --whole-file --delete --delete-after --stats |
138 |
--timeout=180 --exclude='/distfiles' --exclude='/local' |
139 |
--exclude='/packages'" |
140 |
PORTAGE_TMPDIR="/var/tmp" |
141 |
PORTDIR="/usr/portage/" |
142 |
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
143 |
USE="apache2 berkdb bzip2 clamav crypt dlloader doc hardened java ldap |
144 |
mysql nls pam pic readline ssl tcpd threads userlocales x86 xml xorg |
145 |
zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux |
146 |
userland_GNU" |
147 |
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, |
148 |
LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY |
149 |
--- SNAP --- |
150 |
|
151 |
-- Michael Decker Michael.Decker@×××××.de TESIS SYSware GmbH |
152 |
http://www.tesis.de Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 |
153 |
747377-0 _______________________________________________ rsbac mailing |
154 |
list rsbac@×××××.org http://www.rsbac.org/mailman/listinfo/rsbac |
155 |
|
156 |
-- |
157 |
gentoo-hardened@g.o mailing list |