Re: [CentOS] PAM_shield locking me out?
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though. Was this with the 0.9.2 release, or the 0.9.3 release ? Please provide this information to the author, he might help you find the cause and fix it in pam_shield. Thanks for reporting, Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optionalpam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac: snip authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authoptional pam_shield.so authrequired pam_deny.so snip Lets see if this works. I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins? Sasha ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
On Fri, 27 Aug 2010, A. Kirillov wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though. Was this with the 0.9.2 release, or the 0.9.3 release ? Please provide this information to the author, he might help you find the cause and fix it in pam_shield. Thanks for reporting, Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optionalpam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac: snip authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authoptional pam_shield.so authrequired pam_deny.so snip Lets see if this works. I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins? As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd -- #%PAM-1.0 auth optional pam_shield.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so -- You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER. -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though. Was this with the 0.9.2 release, or the 0.9.3 release ? Please provide this information to the author, he might help you find the cause and fix it in pam_shield. Thanks for reporting, Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optionalpam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac: snip authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authoptional pam_shield.so authrequired pam_deny.so snip Lets see if this works. I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins? As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd -- #%PAM-1.0 auth optional pam_shield.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so -- You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER. I'm in no way a pam expert, yes. So I have to rely on the documentation which comes with the package. # cat /usr/share/doc/pam_shield-0.9.3/INSTALL ... If you want to use pam_shield for all services, edit /etc/pam.d/common-auth. Add the line auth optional pam_shield.so and that's that. ... And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either. # diff -bB /etc/security/shield.conf.original /etc/security/shield.conf 56c56 max_conns 10 --- max_conns 3 67c67 interval 5m --- interval 60 72c72 retention 1w --- retention 60 The system is 64-bit centos 5.5, fully updated. Switching off selinux didn't help. So the question remains. Could anybody besides the maintainer make this very version of pam_shield (0.9.3-1.el5.rf.x86_64) work? Thanks ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
Dag Wieers wrote: On Tue, 24 Aug 2010, Rob Kampen wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though. Was this with the 0.9.2 release, or the 0.9.3 release ? Please provide this information to the author, he might help you find the cause and fix it in pam_shield. Thanks for reporting, Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optionalpam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac: snip authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authoptional pam_shield.so authrequired pam_deny.so snip Lets see if this works. attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
On Tue, 24 Aug 2010, Rob Kampen wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though. Was this with the 0.9.2 release, or the 0.9.3 release ? Please provide this information to the author, he might help you find the cause and fix it in pam_shield. Thanks for reporting, -- -- dag wieers, d...@wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] PAM_shield locking me out?
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. Any words of wisdom from those a little more knowledgeable? Why do I keep trying new things - I like to improve my system and harden it against constant script kiddies (many different triers per day), but despite reading all the instructions I fall into a hole I cannot climb out of. Hopefully someone has an idea BTW - the console also fails to allow login TIA Rob attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
On Tue, August 24, 2010 17:29, Rob Kampen wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. ... BTW - the console also fails to allow login TIA Rob You'll need to boot into Single User Mode and undo or just check your pam configuration: From: http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-booting-single.html At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu. Select Red Hat Enterprise Linux with the version of the kernel that you wish to boot and type a to append the line. Go to the end of the line and type single as a separate word (press the Spacebar and then type single). Press Enter to exit edit mode. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
Giles Coochey wrote: On Tue, August 24, 2010 17:29, Rob Kampen wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. ... BTW - the console also fails to allow login TIA Rob You'll need to boot into Single User Mode and undo or just check your pam configuration: From: http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-booting-single.html At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu. Select Red Hat Enterprise Linux with the version of the kernel that you wish to boot and type a to append the line. Go to the end of the line and type single as a separate word (press the Spacebar and then type single). Press Enter to exit edit mode. Worked just fine - thanks. Now I just need to work out what went wrong. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. Same here. Is it a 64-bit system? # cat /var/log/messages | grep -i segfault Aug 24 06:41:18 angara kernel: login[1678]: segfault at rip 003816a79f34 rsp 7fff0663cce8 error 4 Aug 24 06:41:21 angara kernel: login[1708]: segfault at rip 003816a79f34 rsp 7fff66c609b8 error 4 Aug 24 06:46:45 angara kernel: login[5933]: segfault at rip 003816a79f34 rsp 7fffc003eb38 error 4 Would the maintainer care to give a hand? Thanks, Sasha ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
A. Kirillov wrote: Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out. Same here. Is it a 64-bit system? No my server is 32 bit and I think there were no seg faults in actuality - the pam_shield module was causing a ?? response to su and sudo auth requests and they reported segmentation error - nothing in the logs - I assume that it had somehow locked my account and thus all auth requests to pam were being dumped. It also appeared to do the same to the login prompt on the console - any user entered just went back to the the login prompt no request for the password, I have thus commented out the auth line I added yesterday until I work out what went wrong. I am wondering if I entered the auth line in the wrong place?? Anyone know where it should go? The instructions from the INSTALL file in the tar.gz that I used was not centos / rh specific. HTH Rob # cat /var/log/messages | grep -i segfault Aug 24 06:41:18 angara kernel: login[1678]: segfault at rip 003816a79f34 rsp 7fff0663cce8 error 4 Aug 24 06:41:21 angara kernel: login[1708]: segfault at rip 003816a79f34 rsp 7fff66c609b8 error 4 Aug 24 06:46:45 angara kernel: login[5933]: segfault at rip 003816a79f34 rsp 7fffc003eb38 error 4 Would the maintainer care to give a hand? Thanks, Sasha ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PAM_shield locking me out?
On Tue, 2010-08-24 at 14:56 -0400, Rob Kampen wrote: No my server is 32 bit and I think there were no seg faults in actuality - the pam_shield module was causing a ?? response to su and sudo auth requests and they reported segmentation error - nothing in the logs - I assume that it had somehow locked my account and thus all auth requests to pam were being dumped. It also appeared to do the same to the login prompt on the console - any user entered just went back to the the login prompt no request for the password, I have thus commented out the auth line I added yesterday until I work out what went wrong. I am wondering if I entered the auth line in the wrong place?? Anyone know where it should go? The instructions from the INSTALL file in the tar.gz that I used was not centos / rh specific. HTH Rob A pam_shield-related login failure happened to me once and fixing system-auth cured it. It happened too long ago to remember the details, but I think the failure was on centos 4. The thing that sticks in my mind was the inability of any user to login from a console. Here are the examples you requested. Centos 4 example (64-bit): # cat /etc/pam.d/system-auth ... auth required/lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok # auth optional/lib64/security/pam_shield.so # auth required/lib/security/$ISA/pam_deny.so ... Centos 5 example: # cat /etc/pam.d/system-auth ... auth requiredpam_env.so auth sufficient pam_unix.so nullok try_first_pass # auth optionalpam_shield.so # auth requisite pam_succeed_if.so uid = 500 quiet auth requiredpam_deny.so ... rhel6-beta2 example: ... # cat /etc/pam.d/system-auth ... authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass # authoptional pam_shield.so # authrequisite pam_succeed_if.so uid = 500 quiet authrequired pam_deny.so ... Steve ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos