Re: [CentOS] Authentication Problems
No --James. (This email was sent from a mobile device) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 02/16/11 6:27 AM, James Bensley wrote: > However he always uses the webdev account which lastlog shows as never > logged in, so when accessing the VPS as the webdev user account are we > somehow actually accessing the VPS as webmaster? Is it possible the > VPS providers performed some crazy voodoo magic here? does webdev and webmaster have the same UID in /etc/passwd ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
Ok, everything is fixed now. I spoke with the VPS providers; The jailed shell was removed from the webdev user (and the webmaster user?) and they reset the password. I logged into ssh as the webdev user to change the password and they told me off for trying and said I must do it through WHM/cPanel. I suspect there is some crazy arrangement here I don't know about and there is some link between those two accounts. When I tried (apparently wrongly) to change the webdev users password I still got "passwd: Authentication token manipulation error" but they said to leave it alone?! I'm just glad its over, thanks everyone for your support :D -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16 February 2011 14:50, Jeff wrote: > What does /etc/nsswitch.conf look like? Anything other than "files" > for passwd, shadow and group? If that's OK, I would start comparing > files in /etc/pam.d to a known-good system. Thanks for the info, I will look into the pam.d stuff :) cat /etc/nsswitch.conf SNIP. passwd: files shadow: files group: files -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16 February 2011 14:34, ... wrote: > yes, that is what doing an "su - " as *root* will do, which > doesn't tell you much. instead of doing this from a root login, do > it from a regular account (you don't routinely log in as root i hope > - actually it sounds like you do). > > if this works, then the issue isn't with the password or shell. No other user is allowed to execute /bin/su :) (This is something the VPS providers have put in place, apart from root, all other users for each virtual site have their shell set to /usr/local/cpanel/bin/jailshell or /usr/local/cpanel/bin/noshell) > by the way, it doesn't sound like the accounts on this machine are > set up very well. you should *never* log in as root (that capability > should be disabled actually). rather you should log in to a regular, > unprivileged, account and su (or sudo) to root only when you need to > do something privileged and only for that moment. your developer's > access sounds rather odd too, with the seeming lack of separation > between the login and the site content. Its not my server so those aren't my decisions to make. I don't normally allow root ssh, I would have probably installed fail2ban, set up SELinux blah blah blah and many other things but this isn't my VPS, I've just been tasked with it so this is the way it is! :s -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On Wed, Feb 16, 2011 at 6:28 AM, James Bensley wrote: > Hi List, > > We have a CentOS VPS running a web site in a DC far away. The chap that > dev's this site told me he couldn't SFTP in yesterday, his password was > being rejected (I went to his desk to confirm and saw it was telling him the > password was incorrect but neither him nor me had changed it and we are the > only two with access to this VPS). So I logged in as root and reset his > password, be he still couldn't log in (same problem, claiming the password > was wrong). > > [root@server ~]# passwd webdevuser > Changing password for user webdevuser. > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updates successfully. > > I tried to SSH in as the web dev user and it wouldn't let me in. Returning > back to my root console window; > > [root@server ~]# su - webdevuser > [webdevuser@server ~]# passwd > Changing password for user webdevuser. > Changing password for webdevuser. > (current) UNIX password: > passwd: Authentication token manipulation error > > Firstly; I am stracthing my head as to why his password was no longer > working in the first place? > > Secondly; Why I can't reset it? > > Googling around many people suggest there is a discrepancy between the > /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using > pwconv to recreate shadow and the same for /etc/groups, deleting gshadow > recreating it with grpconv will solve the problem but I still can't login as > the web dev user. > > Any ideas anyone? What does /etc/nsswitch.conf look like? Anything other than "files" for passwd, shadow and group? If that's OK, I would start comparing files in /etc/pam.d to a known-good system. -- Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16/02/11 15:16, James Bensley wrote: >> i'd suggest looking at the log files (/var/log/secure and >> > .../messages), for indications of why you're having trouble logging >> > in as the other user. you can also, in a terminal window from a >> > "mere mortal" (not root) login, try: >> > >> > su - >> > >> > as that may give you some feedback. something like having an invalid >> > shell will cause what you're seeing. > As root, if I 'su - webdevuser' it doesn't prompt me for a password > and drops me in as the user, presumably what is intended? > This is normal behaviour. root can su to which ever user without being asked for any password by default. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16 February 2011 14:17, wrote: > What does lastlog | grep -v Never show you? > Hi Mark, This has shown something (potentially) interesting: [root@server ~]# lastlog | grep -v Never Username Port From Latest root pts/2x.x.x.x Wed Feb 16 13:41:40 + 2011 webmasterpts/2y.y.y.y Sun Dec 14 03:46:07 + 2008 So, I am logged in as root right now, however, the 'webmaster' entry is what is interesting me. The y.y.y.y address is the web dev's address (he hasn't logged in since sunday, he notified my yesterday when he tried to get back on that he couldn't). However he always uses the webdev account which lastlog shows as never logged in, so when accessing the VPS as the webdev user account are we somehow actually accessing the VPS as webmaster? Is it possible the VPS providers performed some crazy voodoo magic here? Perhaps I should change the password for the webmaster account (this doesn't have one according to the passwd file), so I could 'su - webmaster', set a password and then try and login as the webdev user? Or is this possibly going to make matters worse? -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
Nico Kadel-Garcia wrote: > On Wed, Feb 16, 2011 at 7:43 AM, James Bensley > wrote: >> On 16 Feb 2011 12:34, "Nico Kadel-Garcia" wrote: >>> Do you have other users who >>> can still log in or not? >> >> There is only the root and web dev user on this box. What does lastlog | grep -v Never show you? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16 February 2011 13:00, ... wrote: > you realize that there are no passwords in /etc/passwd, so if you > delete /etc/shadow and rebuild it using pwconv there will be no > passwords in the new /etc/shadow... depending on the exact state, > you either won't be able to log in, or the machine will be totally > open. Yes sorry I meant that the other way round :) > i'd suggest looking at the log files (/var/log/secure and > .../messages), for indications of why you're having trouble logging > in as the other user. you can also, in a terminal window from a > "mere mortal" (not root) login, try: > > su - > > as that may give you some feedback. something like having an invalid > shell will cause what you're seeing. As root, if I 'su - webdevuser' it doesn't prompt me for a password and drops me in as the user, presumably what is intended? -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
Thanks to all for your various replies On 16 February 2011 12:50, Nico Kadel-Garcia wrote: >>> Check the /etc/shadow and /etc/group for consistent numbers of >>> entries, and /etc/group and /etc/gshadow. >> >> Do you mean duplicate entries? If so there are none of those. > > No, I mean the sam enumber of entries. > > wc /etc/shadow /etc/passwd > cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c This came back 2 for each user, so no differences. > And actually go line by line down these files, checking for matching > usernames, correct layout of ':' separated entries, correct numbers of > entries, and blank lines. I've seen serous problems where one or ther > other of these files were corrupted by something, especially badly > written installer scripts that only edited /etc/passwd directly and > ignored /etc/shadow, or which mishandled "$" entries in newly created > encrypted passwords. I'm now going through this although its all looking intact. >>> Do you have other users who >>> can still log in or not? >> >> There is only the root and web dev user on this box. >> > Are you *sure*? Can you back this thing up for review and rebuilding? > It might be safest to image it for analysis and simply rebuild it. Yes, but I like to fix things. If I can't fix this I will restore the box but for now I'm going to continue troubleshooting. The root user and web dev user are the only two that have hash value in the passwd file so I would expect this to mean they are the only two users than can actually log in? On 16 February 2011 12:59, David Sommerseth wrote:> > - Could the account have become locked somehow? (passwd -u $user) Or > could the account have become expired? [root@server ~]# passwd -u futuread. Unlocking password for user futuread. paswd: Success. But I still get access denied. > - Are the permissions strict on the users ~/.ssh? (0700 on the directory, > and 0600 on any files inside that directory - like authorized_keys ...) If I remove execute permissions form the web dev home folder a website will stop working, its within that users home folder. I.e. virtual site1 is inside the home folder of user 'virtual1' and virtual site2 is within the home folder of the user 'virtual2'. The web dev chap logins in as say virtual1 and edits all sites with that account. There is no .ssh subfolder in the home folder? Could this be the problem? If he saw it in there and deleted it perhaps (although I imagine it would just be recreated if needed?). > - Is SELinux in Enforced mode and are the SELinux file context correct on > /home? (restorecon -rv /home) [root@server ~]# getenforce Disabled > Also double check /var/log/messages, /var/log/secure and > /var/log/audit/audit.log carefully when trying to log in as that user. /var/log/audit is empty. Is this normal, this VPS comes initially configured from the provider? /var/log/messages and /var/log/secure both just show a generic invalid login attemp: /var/log/messages: Feb 16 13:53:58 server1882 sshd(pam_unix)[16225]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=webdevuser /var/log/secure: Feb 16 13:53:50 server1882 sshd[16225]: Failed password for futuread from :::1.2.3.4 port 1536 ssh2 On 16 February 2011 13:08, Kwan Lowe wrote: > A lot of things can cause this, including a full /var filesystem :/ Nope, only %75 full (60GB filesystem), there's some room left in her yet ;) Thanks everyone for your help so far its really appreciated. -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On Wed, Feb 16, 2011 at 7:28 AM, James Bensley wrote: > [root@server ~]# su - webdevuser > [webdevuser@server ~]# passwd > Changing password for user webdevuser. > Changing password for webdevuser. > (current) UNIX password: > passwd: Authentication token manipulation error A lot of things can cause this, including a full /var filesystem :/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16/02/11 13:28, James Bensley wrote: > Hi List, > > We have a CentOS VPS running a web site in a DC far away. The chap that > dev's this site told me he couldn't SFTP in yesterday, his password was > being rejected (I went to his desk to confirm and saw it was telling him > the password was incorrect but neither him nor me had changed it and we are > the only two with access to this VPS). So I logged in as root and reset his > password, be he still couldn't log in (same problem, claiming the password > was wrong). > > [root@server ~]# passwd webdevuser > Changing password for user webdevuser. > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updates successfully. > > I tried to SSH in as the web dev user and it wouldn't let me in. Returning > back to my root console window; > > [root@server ~]# su - webdevuser > [webdevuser@server ~]# passwd > Changing password for user webdevuser. > Changing password for webdevuser. > (current) UNIX password: > passwd: Authentication token manipulation error > > Firstly; I am stracthing my head as to why his password was no longer > working in the first place? > > Secondly; Why I can't reset it? > > Googling around many people suggest there is a discrepancy between the > /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using > pwconv to recreate shadow and the same for /etc/groups, deleting gshadow > recreating it with grpconv will solve the problem but I still can't login > as the web dev user. > > Any ideas anyone? - Could the account have become locked somehow? (passwd -u $user) Or could the account have become expired? - Are the permissions strict on the users ~/.ssh? (0700 on the directory, and 0600 on any files inside that directory - like authorized_keys ...) - Is SELinux in Enforced mode and are the SELinux file context correct on /home? (restorecon -rv /home) Also double check /var/log/messages, /var/log/secure and /var/log/audit/audit.log carefully when trying to log in as that user. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On Wed, Feb 16, 2011 at 7:43 AM, James Bensley wrote: > On 16 Feb 2011 12:34, "Nico Kadel-Garcia" wrote: >> >> Uh-oh. Has your developer, or you, been editing the /etc/passwd, >> /etc/shadow, /etc/group, or /etc/gshadow files manually? > > Nope. > >> And do you >> use NIS or LDAP for authentication? > > Nope. > >> And this is a publicly exposed >> webserver, right? How fast can you rebuild it if it's been rootkitted? > > How long is a peice of string? As quick as I can reupload the data, but > thats another issue for another day. > >> Check the /etc/shadow and /etc/group for consistent numbers of >> entries, and /etc/group and /etc/gshadow. > > Do you mean duplicate entries? If so there are none of those. No, I mean the sam enumber of entries. wc /etc/shadow /etc/passwd cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c And actually go line by line down these files, checking for matching usernames, correct layout of ':' separated entries, correct numbers of entries, and blank lines. I've seen serous problems where one or ther other of these files were corrupted by something, especially badly written installer scripts that only edited /etc/passwd directly and ignored /etc/shadow, or which mishandled "$" entries in newly created encrypted passwords. >> Do you have other users who >> can still log in or not? > > There is only the root and web dev user on this box. > > Thanks for your input Nico :) > > --James. (This email was sent from a mobile device) Are you *sure*? Can you back this thing up for review and rebuilding? It might be safest to image it for analysis and simply rebuild it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On 16 Feb 2011 12:34, "Nico Kadel-Garcia" wrote: > > Uh-oh. Has your developer, or you, been editing the /etc/passwd, > /etc/shadow, /etc/group, or /etc/gshadow files manually? Nope. > And do you > use NIS or LDAP for authentication? Nope. > And this is a publicly exposed > webserver, right? How fast can you rebuild it if it's been rootkitted? How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day. > Check the /etc/shadow and /etc/group for consistent numbers of > entries, and /etc/group and /etc/gshadow. Do you mean duplicate entries? If so there are none of those. > Do you have other users who > can still log in or not? There is only the root and web dev user on this box. Thanks for your input Nico :) --James. (This email was sent from a mobile device) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Authentication Problems
On Wed, Feb 16, 2011 at 7:28 AM, James Bensley wrote: > Hi List, > > We have a CentOS VPS running a web site in a DC far away. The chap that > dev's this site told me he couldn't SFTP in yesterday, his password was > being rejected (I went to his desk to confirm and saw it was telling him the > password was incorrect but neither him nor me had changed it and we are the > only two with access to this VPS). So I logged in as root and reset his > password, be he still couldn't log in (same problem, claiming the password > was wrong). > > [root@server ~]# passwd webdevuser > Changing password for user webdevuser. > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updates successfully. > > I tried to SSH in as the web dev user and it wouldn't let me in. Returning > back to my root console window; > > [root@server ~]# su - webdevuser > [webdevuser@server ~]# passwd > Changing password for user webdevuser. > Changing password for webdevuser. > (current) UNIX password: > passwd: Authentication token manipulation error > > Firstly; I am stracthing my head as to why his password was no longer > working in the first place? > > Secondly; Why I can't reset it? > > Googling around many people suggest there is a discrepancy between the > /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using > pwconv to recreate shadow and the same for /etc/groups, deleting gshadow > recreating it with grpconv will solve the problem but I still can't login as > the web dev user. > > Any ideas anyone? Uh-oh. Has your developer, or you, been editing the /etc/passwd, /etc/shadow, /etc/group, or /etc/gshadow files manually? And do you use NIS or LDAP for authentication? And this is a publicly exposed webserver, right? How fast can you rebuild it if it's been rootkitted? Check the /etc/shadow and /etc/group for consistent numbers of entries, and /etc/group and /etc/gshadow. Do you have other users who can still log in or not? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Authentication Problems
Hi List, We have a CentOS VPS running a web site in a DC far away. The chap that dev's this site told me he couldn't SFTP in yesterday, his password was being rejected (I went to his desk to confirm and saw it was telling him the password was incorrect but neither him nor me had changed it and we are the only two with access to this VPS). So I logged in as root and reset his password, be he still couldn't log in (same problem, claiming the password was wrong). [root@server ~]# passwd webdevuser Changing password for user webdevuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updates successfully. I tried to SSH in as the web dev user and it wouldn't let me in. Returning back to my root console window; [root@server ~]# su - webdevuser [webdevuser@server ~]# passwd Changing password for user webdevuser. Changing password for webdevuser. (current) UNIX password: passwd: Authentication token manipulation error Firstly; I am stracthing my head as to why his password was no longer working in the first place? Secondly; Why I can't reset it? Googling around many people suggest there is a discrepancy between the /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using pwconv to recreate shadow and the same for /etc/groups, deleting gshadow recreating it with grpconv will solve the problem but I still can't login as the web dev user. Any ideas anyone? -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos