[rsbac] "normal user" can't login

Michael Decker MDecker at tesis.de
Thu Jul 20 17:58:38 CEST 2006 

	Hi,

I'm using Gentoo and followed this guide to set RSBAC user management:
http://gentoo-wiki.com/RSBAC%2C_Who_is_root_anyway%3F#Installation_and_Configuration

After this I can login as root (0) and as secoff (400) but my "normal
user" maintenance is not allowed to login either by ssh nor direct, but
I don't understand why. And why tries sshd to use /etc/shadow ?

Perhaps somebody could help me here.

Some additional information following.

Thanks a lot,
	Michael Decker

----

Setting passwords:
	--- SNIP --
# rsbac_passwd -n 0
# rsbac_passwd -n 400
# rsbac_passwd -n 1000
	--- SNAP ---

/var/log/auth.log:
	--- SNIP --
Jul 20 19:33:28 gentoo-04 login[6414]: FAILED LOGIN 2 FROM /dev/tty1 FOR
root, Authentication failure
Jul 20 19:33:59 gentoo-04 sshd[7820]: fatal: Timeout before
authentication for 192.168.31.1
Jul 20 19:34:26 gentoo-04 login[7827]: (pam_rsbac) session opened for
user root by LOGIN(uid=0)
Jul 20 19:34:30 gentoo-04 login[7827]: (pam_rsbac) session closed for
user root
Jul 20 19:35:07 gentoo-04 sshd[7833]: error: Could not get shadow
information for maintenance
Jul 20 19:35:08 gentoo-04 sshd[7833]: Failed password for maintenance
from 192.168.31.1 port 3683 ssh2
Jul 20 19:35:10 gentoo-04 sshd[7833]: Failed password for maintenance
from 192.168.31.1 port 3683 ssh2
Jul 20 19:36:41 gentoo-04 login[7832]: (pam_rsbac) could not
authenticate user maintenance
Jul 20 19:36:41 gentoo-04 login[7832]: FAILED LOGIN 1 FROM /dev/tty1 FOR
maintenance, Authentication failure
Jul 20 19:37:04 gentoo-04 sshd[7833]: fatal: Timeout before
authentication for 192.168.31.1
Jul 20 19:37:21 gentoo-04 login[7832]: (pam_rsbac) could not
authenticate user maintenance
Jul 20 19:37:21 gentoo-04 login[7832]: FAILED LOGIN 2 FROM /dev/tty1 FOR
maintenance, Authentication failure
Jul 20 19:40:03 gentoo-04 login[7840]: (pam_rsbac) session opened for
user secoff by LOGIN(uid=0)
Jul 20 19:40:15 gentoo-04 login[7840]: (pam_rsbac) session closed for
user secoff
Jul 20 19:40:58 gentoo-04 sshd[7882]: error: Could not get shadow
information for maintenance
Jul 20 19:40:58 gentoo-04 sshd[7882]: Failed password for maintenance
from 192.168.31.1 port 3710 ssh2
Jul 20 19:41:03 gentoo-04 sshd[7882]: Failed password for maintenance
from 192.168.31.1 port 3710 ssh2
Jul 20 19:42:57 gentoo-04 sshd[7882]: fatal: Timeout before
authentication for 192.168.31.1
	--- SNAP ---

/etc/pam.d/sshd:
	--- SNIP ---
auth       include      system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
	--- SNAP ---

# cat /proc/rsbac-info/active:
	--- SNIP ---
Version: 1.2.5
Mode: SOFTMODE
Softmode: available
Ind-Soft: available
Switching: unavailable
Module: REG  on
Module: DAZ  on
Module: RC   on
Module: AUTH on
Module: PAX  on
	--- SNAP ---

Current kernel options:
	--- SNIP ---
kernel /boot/linux-2.6.14-rsbac-r1-proto-pax-rsbac-auth-rc-dac-pax-try3
root=/dev/hda3 rootflags=data=journal rsbac_softmode console=ttyS0,57600
console=tty0
	--- SNAP ---

# emerge --info:
	--- SNIP ---
>>> cfg-update-1.8.0-r3 : No new packages have been emerged, checksum
index OK...
Portage 2.1.1_pre2-r4 (hardened/x86/2.6, gcc-3.4.6/hardened,
glibc-2.3.6-r4, 2.6.14-rsbac-r1-rsbac i686)
=================================================================
System uname: 2.6.14-rsbac-r1-rsbac i686 Intel(R) Pentium(R) D CPU 3.00GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: 2.0.0_rc1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i386-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4"
CHOST="i386-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler
/etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo
http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
http://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.intergenia.de
http://files.gentoo.org http://ftp.ntua.gr/pub/linux/gentoo/
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ "
MAKEOPTS="-j3"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --delete-after --stats
--timeout=180 --exclude='/distfiles' --exclude='/local'
--exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="apache2 berkdb bzip2 clamav crypt dlloader doc hardened java ldap
mysql nls pam pic readline ssl tcpd threads userlocales x86 xml xorg
zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux
userland_GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
	--- SNAP ---

-- 
Michael Decker                      Michael.Decker at tesis.de
TESIS SYSware GmbH                      http://www.tesis.de
Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0

More information about the rsbac mailing list