Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. Any words of wisdom from those a little more knowledgeable? Why do I keep trying new things - I like to improve my system and harden it against constant script kiddies (many different triers per day), but despite reading all the instructions I fall into a hole I cannot climb out of. Hopefully someone has an idea BTW - the console also fails to allow login TIA Rob
On Tue, August 24, 2010 17:29, Rob Kampen wrote:
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. ... BTW - the console also fails to allow login TIA Rob
You'll need to boot into Single User Mode and undo or just check your pam configuration:
From: http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-boo...
At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu.
Select Red Hat Enterprise Linux with the version of the kernel that you wish to boot and type a to append the line.
Go to the end of the line and type single as a separate word (press the Spacebar and then type single). Press Enter to exit edit mode.
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
Same here. Is it a 64-bit system?
# cat /var/log/messages | grep -i segfault Aug 24 06:41:18 angara kernel: login[1678]: segfault at 0000000000000000 rip 0000003816a79f34 rsp 00007fff0663cce8 error 4 Aug 24 06:41:21 angara kernel: login[1708]: segfault at 0000000000000000 rip 0000003816a79f34 rsp 00007fff66c609b8 error 4 Aug 24 06:46:45 angara kernel: login[5933]: segfault at 0000000000000000 rip 0000003816a79f34 rsp 00007fffc003eb38 error 4
Would the maintainer care to give a hand? Thanks, Sasha
On Tue, 2010-08-24 at 14:56 -0400, Rob Kampen wrote:
No my server is 32 bit and I think there were no seg faults in actuality
- the pam_shield module was causing a ?? response to su and sudo auth
requests and they reported segmentation error - nothing in the logs - I assume that it had somehow locked my account and thus all auth requests to pam were being dumped. It also appeared to do the same to the login prompt on the console - any user entered just went back to the the login prompt no request for the password, I have thus commented out the auth line I added yesterday until I work out what went wrong. I am wondering if I entered the auth line in the wrong place?? Anyone know where it should go? The instructions from the INSTALL file in the tar.gz that I used was not centos / rh specific. HTH Rob
A pam_shield-related login failure happened to me once and fixing system-auth cured it.
It happened too long ago to remember the details, but I think the failure was on centos 4. The thing that sticks in my mind was the inability of any user to login from a console.
Here are the examples you requested.
Centos 4 example (64-bit):
# cat /etc/pam.d/system-auth ... auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok # auth optional /lib64/security/pam_shield.so # auth required /lib/security/$ISA/pam_deny.so ...
Centos 5 example:
# cat /etc/pam.d/system-auth ... auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass # auth optional pam_shield.so # auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so ...
rhel6-beta2 example: ... # cat /etc/pam.d/system-auth ... auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass # auth optional pam_shield.so # auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so ...
Steve
On Tue, 24 Aug 2010, Rob Kampen wrote:
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Dag Wieers wrote:
On Tue, 24 Aug 2010, Rob Kampen wrote:
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optional pam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac: <snip> auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth optional pam_shield.so auth required pam_deny.so <snip> Lets see if this works.
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optional pam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac:
<snip> auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth optional pam_shield.so auth required pam_deny.so <snip> Lets see if this works.
I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
Sasha
On Fri, 27 Aug 2010, A. Kirillov wrote:
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optional pam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac:
<snip> auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth optional pam_shield.so auth required pam_deny.so <snip> Lets see if this works.
I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd
------ #%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so ------
You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER.
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optional pam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac:
<snip> auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth optional pam_shield.so auth required pam_deny.so <snip> Lets see if this works.
I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd
#%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER.
I'm in no way a pam expert, yes. So I have to rely on the documentation which comes with the package.
# cat /usr/share/doc/pam_shield-0.9.3/INSTALL ... If you want to use pam_shield for all services, edit /etc/pam.d/common-auth. Add the line
auth optional pam_shield.so
and that's that. ...
And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either.
# diff -bB /etc/security/shield.conf.original /etc/security/shield.conf 56c56 < max_conns 10 ---
max_conns 3
67c67 < interval 5m ---
interval 60
72c72 < retention 1w ---
retention 60
The system is 64-bit centos 5.5, fully updated. Switching off selinux didn't help.
So the question remains. Could anybody besides the maintainer make this very version of pam_shield (0.9.3-1.el5.rf.x86_64) work?
Thanks
I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd
#%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER.
I'm in no way a pam expert, yes. So I have to rely on the documentation which comes with the package.
# cat /usr/share/doc/pam_shield-0.9.3/INSTALL ... If you want to use pam_shield for all services, edit /etc/pam.d/common-auth. Add the line
auth optional pam_shield.soand that's that. ...
And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either.
Here's the story for those interested. With the default of
allow_missing_dns no allow_missing_reverse no
pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries, which is a surprise. Should I say a big one? The reason it didn't work for me was that bind wasn't adding reverse maps for my local hosts because of screwed up zone file permissions.
On a side note, when testing pam_shield with a recommended retention period of 60 secs you have to run /etc/cron.daily/pam-shield manually to release expired locks.
HTH
On Sat, 28 Aug 2010, A. Kirillov wrote:
And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either.
Here's the story for those interested. With the default of
allow_missing_dns no allow_missing_reverse no
pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries, which is a surprise. Should I say a big one? The reason it didn't work for me was that bind wasn't adding reverse maps for my local hosts because of screwed up zone file permissions.
On a side note, when testing pam_shield with a recommended retention period of 60 secs you have to run /etc/cron.daily/pam-shield manually to release expired locks.
Welcome to the wonderful world of Open Source !
If you want to make a difference here, please talk to the upstream developers, rather than to this list.
Now, since I use pam_shield myself I have reported both problems (segfault of su and login when configuring in /etc/pam.d/system-auth, and the above). I haven't tested both, so any feedback or testcase to replicate the problem are welcomed by the upstream developers (does not include me).
We also discussed some other improvements:
- using AUTHPRIV intead of AUTH for logging - including shield-trigger-iptables - Fixes to Makefile - Including manual pages - Fixes to INSTALL - Both registered bugs
Kind regards,
-
A. Kirillov -
Dag Wieers -
Giles Coochey -
Rob Kampen -
S.Tindall