-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-9.0.0
-
pam-1.5.1-18.el9
-
None
-
Important
-
Customer Escalated
-
rhel-sst-idm-sssd
-
ssg_idm
-
23
-
24
-
0
-
False
-
-
No
-
None
-
Pass
-
Automated
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
Using "pam_access", ssh login failed with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. On RHEL8.8 machine, enable "with-pamaccess" feature using authselect:
~~~~~
- authselect enable-feature with-pamaccess
~~~~~
2. Then configure /etc/security/access.conf as below:
-------
+:username:localhost server1.example.com
-------
3. Try to login with the user .
~~~~
- ssh username@localhost
- ssh username@server1.example.com
~~~~
4. It only works when below /etc/security/access.conf file configured as below:
-------
+:username:127.0.0.1 ::1 x.x.x.x
-------
*Actual IP-address is replaced with x.x.x.x
Actual results:
Login failed, as access denied in the account section.
Expected results:
Successful login using "pam_access". ssh login should work with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------
Additional info:
Reproduced as below on test-box:
[root@rhds12 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.8 (Ootpa)
[root@rhds12 ~]# id test21
uid=1007(test21) gid=1007(test21) groups=1007(test21)
[root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#"
+:root:ALL
+ : test19 : ALL
+:test21:localhost
-:ALL:ALL
[root@rhds12 ~]# hostname
rhds12.example.com
[root@rhds12 ~]# authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-pwhistory
- with-faillock
- with-pamaccess
[root@rhds12 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
x.x.x.x rhds12.example.com
=====================
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password:
Connection closed by ::1 port 22
--------
[root@rhds12 ~]# tail -n 6 /var/log/secure
Aug 3 12:12:52 rhds12 sshd[2076290]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug 3 12:12:52 rhds12 sshd[2076290]: Failed password for test21 from ::1 port 50230 ssh2
Aug 3 12:12:52 rhds12 sshd[2076290]: fatal: Access denied for user test21 by PAM account configuration [preauth]
Aug 3 12:13:45 rhds12 sshd[2076360]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug 3 12:13:45 rhds12 sshd[2076360]: Failed password for test21 from ::1 port 56414 ssh2
Aug 3 12:13:45 rhds12 sshd[2076360]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------
- Now, replaced localhost with 127.0.0.1
----------
[root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
+:test21:127.0.0.1
----------
- But still failed to login with localhost:
-----------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password:
Connection closed by ::1 port 22
-----------------
-------
[root@rhds12 ~]# tail -n 3 /var/log/secure
Aug 3 12:17:15 rhds12 sshd[2076613]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug 3 12:17:15 rhds12 sshd[2076613]: Failed password for test21 from ::1 port 36390 ssh2
Aug 3 12:17:15 rhds12 sshd[2076613]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------
- Now added ::1 (i.e IPv6 loopback) in /etc/security/access.conf:
------
[root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1
------
- Tried to login and it worked fine:
------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password:
There were 3 failed login attempts since the last successful login.
[test21@rhds12 ~]$
-------------
=======================
- Now added hostname of the machine, so that it can be accessed with hostname:
--------
[root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 rhds12.example.com
--------
- But login failed:
-------
[root@rhds12 ~]# ssh test21@rhds12.example.com
test21@rhds12.example.com's password:
Connection closed by x.x.x.x port 22
-------
------
Aug 3 12:24:39 rhds12 sshd[2077143]: pam_access(sshd:account): access denied for user `test21' from `x.x.x.x'
------
- Now added IP-address instead of hostname:
---------
[root@rhds12 ~]# cat /etc/security/access.conf | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 x.x.x.x
---------
- Tried to login and it worked fine when logged in with hostname:
--------
[root@rhds12 ~]# ssh test21@rhds12.example.com
test21@rhds12.example.com's password:
There were 2 failed login attempts since the last successful login.
Last login: Thu Aug 3 12:20:06 2023 from ::1
[test21@rhds12 ~]$
---------
=============================
- causes
-
RHEL-39943 pam_access(sshd:account): cannot resolve hostname "LOCAL" after upgrading to pam-1.5.1-19
- Integration
- clones
-
RHEL-3374 Using "pam_access", ssh login fails with this entry in /etc/security/access.conf "+:username:localhost server1.example.com"
- Closed
- links to
-
RHBA-2023:123902 pam bug fix and enhancement update
- mentioned on