Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22300

[RHEL9] Using "pam_access", ssh login fails with this entry in /etc/security/access.conf "+:username:localhost server1.example.com"

    • pam-1.5.1-18.el9
    • None
    • Important
    • Customer Escalated
    • rhel-sst-idm-sssd
    • ssg_idm
    • 23
    • 24
    • 0
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      Using "pam_access", ssh login failed with below entry in /etc/security/access.conf:
      -------
      +:username:localhost server1.example.com
      -------

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. On RHEL8.8 machine, enable "with-pamaccess" feature using authselect:
      ~~~~~

      1. authselect enable-feature with-pamaccess
        ~~~~~

      2. Then configure /etc/security/access.conf as below:
      -------
      +:username:localhost server1.example.com
      -------

      3. Try to login with the user .
      ~~~~

      1. ssh username@localhost
      1. ssh username@server1.example.com
        ~~~~

      4. It only works when below /etc/security/access.conf file configured as below:
      -------
      +:username:127.0.0.1 ::1 x.x.x.x
      -------

      *Actual IP-address is replaced with x.x.x.x

      Actual results:

      Login failed, as access denied in the account section.

      Expected results:

      Successful login using "pam_access". ssh login should work with below entry in /etc/security/access.conf:
      -------
      +:username:localhost server1.example.com
      -------

      Additional info:

      Reproduced as below on test-box:

      [root@rhds12 ~]# cat /etc/redhat-release
      Red Hat Enterprise Linux release 8.8 (Ootpa)

      [root@rhds12 ~]# id test21
      uid=1007(test21) gid=1007(test21) groups=1007(test21)

      [root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#"
      +:root:ALL
      + : test19 : ALL
      +:test21:localhost
      -:ALL:ALL

      [root@rhds12 ~]# hostname
      rhds12.example.com

      [root@rhds12 ~]# authselect current
      Profile ID: sssd
      Enabled features:

      • with-mkhomedir
      • with-pwhistory
      • with-faillock
      • with-pamaccess

      [root@rhds12 ~]# cat /etc/hosts
      127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
      ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

      x.x.x.x rhds12.example.com

      =====================
      [root@rhds12 ~]# ssh test21@localhost
      test21@localhost's password:
      Connection closed by ::1 port 22

      --------
      [root@rhds12 ~]# tail -n 6 /var/log/secure
      Aug 3 12:12:52 rhds12 sshd[2076290]: pam_access(sshd:account): access denied for user `test21' from `::1'
      Aug 3 12:12:52 rhds12 sshd[2076290]: Failed password for test21 from ::1 port 50230 ssh2
      Aug 3 12:12:52 rhds12 sshd[2076290]: fatal: Access denied for user test21 by PAM account configuration [preauth]
      Aug 3 12:13:45 rhds12 sshd[2076360]: pam_access(sshd:account): access denied for user `test21' from `::1'
      Aug 3 12:13:45 rhds12 sshd[2076360]: Failed password for test21 from ::1 port 56414 ssh2
      Aug 3 12:13:45 rhds12 sshd[2076360]: fatal: Access denied for user test21 by PAM account configuration [preauth]
      -------

      • Now, replaced localhost with 127.0.0.1
        ----------
        [root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
        +:test21:127.0.0.1
        ----------
      • But still failed to login with localhost:
        -----------------
        [root@rhds12 ~]# ssh test21@localhost
        test21@localhost's password:
        Connection closed by ::1 port 22
        -----------------

      -------
      [root@rhds12 ~]# tail -n 3 /var/log/secure
      Aug 3 12:17:15 rhds12 sshd[2076613]: pam_access(sshd:account): access denied for user `test21' from `::1'
      Aug 3 12:17:15 rhds12 sshd[2076613]: Failed password for test21 from ::1 port 36390 ssh2
      Aug 3 12:17:15 rhds12 sshd[2076613]: fatal: Access denied for user test21 by PAM account configuration [preauth]
      -------

      • Now added ::1 (i.e IPv6 loopback) in /etc/security/access.conf:
        ------
        [root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
        +:test21:127.0.0.1 ::1
        ------
      • Tried to login and it worked fine:
        ------------
        [root@rhds12 ~]# ssh test21@localhost
        test21@localhost's password:

      There were 3 failed login attempts since the last successful login.
      [test21@rhds12 ~]$
      -------------
      =======================

      • Now added hostname of the machine, so that it can be accessed with hostname:
        --------
        [root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
        +:test21:127.0.0.1 ::1 rhds12.example.com
        --------
      • But login failed:
        -------
        [root@rhds12 ~]# ssh test21@rhds12.example.com
        test21@rhds12.example.com's password:
        Connection closed by x.x.x.x port 22
        -------

      ------
      Aug 3 12:24:39 rhds12 sshd[2077143]: pam_access(sshd:account): access denied for user `test21' from `x.x.x.x'
      ------

      • Now added IP-address instead of hostname:
        ---------
        [root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
        +:test21:127.0.0.1 ::1 x.x.x.x
        ---------
      • Tried to login and it worked fine when logged in with hostname:
        --------
        [root@rhds12 ~]# ssh test21@rhds12.example.com
        test21@rhds12.example.com's password:

      There were 2 failed login attempts since the last successful login.
      Last login: Thu Aug 3 12:20:06 2023 from ::1
      [test21@rhds12 ~]$
      ---------
      =============================

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-alsharma Alok Sharma
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: