I can't login from tty, but ssh and su login ok.

Support for security such as Firewalls and securing linux
SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/05 16:57:14

Installed CentOS 7 using the console, everything was normal. The system worked, I update it, everything was fine, I login over SSH. Root access via SSH is closed, use the SU.
Recently it took to enter the console, TTY. Having trouble. No root, or the other user does not enter.
SELinux is disable.

/etc/pam.d/login:

Code: Select all

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
/etc/securetty:

Code: Select all

console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttyS0
ttysclp0
sclp_line0
3270/tty1
hvc0
hvc1
hvc2
hvc3
hvc4
hvc5
hvc6
hvc7
hvsi0
hvsi1
hvsi2
xvc0
/etc/pam.d/system-auth:

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
/var/log/secure:

Code: Select all

Oct  4 19:59:40 PresScanCentOS-72 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Oct  4 19:59:40 PresScanCentOS-72 login: pam_succeed_if(login:auth): requirement "uid >= 1000" not met by user "root"
Oct  4 19:59:42 PresScanCentOS-72 login: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure
Oct  4 19:59:45 PresScanCentOS-72 login: pam_unix(login:auth): check pass; user unknown
Oct  4 19:59:45 PresScanCentOS-72 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Oct  4 19:59:47 PresScanCentOS-72 login: FAILED LOGIN 2 FROM tty1 FOR (unknown), User not known to the underlying authentication module
Oct  4 19:59:57 PresScanCentOS-72 login: pam_succeed_if(login:auth): requirement "uid >= 1000" not met by user "root"
Oct  4 19:59:59 PresScanCentOS-72 login: FAILED LOGIN SESSION FROM tty1 FOR root, Authentication failure
Oct  4 19:59:59 PresScanCentOS-72 login: PAM 1 more authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Oct  4 20:00:18 PresScanCentOS-72 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=simbad
Oct  4 20:00:19 PresScanCentOS-72 login: FAILED LOGIN 1 FROM tty1 FOR simbad, Authentication failure
/var/log/audit/audit.log:

Code: Select all

type=USER_AUTH msg=audit(1475619911.738:151743): pid=836 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=USER_ACCT msg=audit(1475619911.738:151744): pid=836 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=CRED_ACQ msg=audit(1475619911.738:151745): pid=836 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=USER_AUTH msg=audit(1475619914.746:151746): pid=839 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=USER_ACCT msg=audit(1475619914.746:151747): pid=839 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=CRED_ACQ msg=audit(1475619914.746:151748): pid=839 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'

type=USER_AUTH msg=audit(1475619917.469:151749): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=failed'

type=USER_AUTH msg=audit(1475619917.743:151750): pid=843 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=USER_ACCT msg=audit(1475619917.743:151751): pid=843 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=CRED_ACQ msg=audit(1475619917.743:151752): pid=843 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'

type=USER_LOGIN msg=audit(1475619919.354:151753): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=login id=0 exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=failed'

type=USER_AUTH msg=audit(1475619920.739:151754): pid=846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=USER_ACCT msg=audit(1475619920.739:151755): pid=846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=CRED_ACQ msg=audit(1475619920.739:151756): pid=846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_listfile,pam_shells,pam_unix acct="atemftp" exe="/usr/sbin/vsftpd" hostname=::ffff:87.239.26.76 addr=::ffff:87.239.26.76 terminal=ftp res=success'
type=SERVICE_STOP msg=audit(1475619924.357:151757): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1475619924.358:151758): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1475619924.358:151759): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1475619924.359:151760): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


aks
Posts: 3069
Joined: 2014/09/20 11:22:14

Re: I can't login from tty, but ssh and su login ok.

Post by aks » 2016/10/10 16:35:14

Oct 4 19:59:57 PresScanCentOS-72 login: pam_succeed_if(login:auth): requirement "uid >= 1000" not met by user "root"
PAM Rule: pam_succeed_if.so uid >= 1000 quiet_success

Thus, you can't login as root.
Oct 4 20:00:18 PresScanCentOS-72 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=simbad
Oct 4 20:00:19 PresScanCentOS-72 login: FAILED LOGIN 1 FROM tty1 FOR simbad, Authentication failure
Is simbad a real local user and is his/her UID < 1000?
Have you typed the password correctly?
Do you have a /etc/nologin file?

SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

Re: I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/18 13:00:33

Thank you for help me. But:

I comment PAM Rule: pam_succeed_if.so uid >= 1000 quiet_success, no result.

Code: Select all

Oct 18 15:54:56 PresScanCentOS-72 login: pam_securetty(login:auth): pam_securetty called via pam_sm_authenticate function
Oct 18 15:54:56 PresScanCentOS-72 login: pam_securetty(login:auth): access allowed for 'root' on 'tty1'
Oct 18 15:55:02 PresScanCentOS-72 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=root
Oct 18 15:55:04 PresScanCentOS-72 login: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure
Oct 18 15:55:04 PresScanCentOS-72 login: pam_securetty(login:auth): pam_securetty called via pam_sm_authenticate function
Is simbad a real local user and is his/her UID < 1000?
Yes? real user
UID = 1000
Have you typed the password correctly?
Yes? I successfully use password by SSH
Do you have a /etc/nologin file?
ls: cannot access /etc/nologin: No such file or directory

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: I can't login from tty, but ssh and su login ok.

Post by giulix63 » 2016/10/18 13:24:36

Can you also post the output of

Code: Select all

cat /etc/pam.d/login
rpm -V util-linux
run as root, please?
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

Re: I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/18 14:18:12

cat /etc/pam.d/login

Code: Select all

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
rpm -V util-linux

Code: Select all

.......T.  c /etc/pam.d/login

SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

Re: I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/18 14:59:12

/etc/login.defs

Code: Select all

#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: I can't login from tty, but ssh and su login ok.

Post by giulix63 » 2016/10/18 15:02:35

I've got an additional

Code: Select all

MD5_CRYPT_ENAB no
right at the end in /etc/login.defs. You probably just forgot to paste it... Apart from that, it's all good.

Code: Select all

rpm -V setup
again as root, please?
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

Re: I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/18 15:13:24

MD5_CRYPT_ENAB no
I have no this line in /etc/login.defs. Last line is ENCRYPT_METHOD SHA512
rpm -V setup

Code: Select all

S.5....T.  c /etc/aliases

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: I can't login from tty, but ssh and su login ok.

Post by giulix63 » 2016/10/18 15:59:40

SimbaD wrote:

Code: Select all

MD5_CRYPT_ENAB no
I have no this line in /etc/login.defs.
Right, checked on another system and it's not there.. Don't know where I got that, just scrap that off. How about /etc/aliases? Care to share?
/etc/aliases

Code: Select all

#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     root

# General redirections for pseudo accounts.
bin:            root
daemon:         root
adm:            root
lp:             root
sync:           root
shutdown:       root
halt:           root
mail:           root
news:           root
I'm (temporarily :)) out of ideas.... It's worth to keep beating the PAM path, IMO
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

SimbaD
Posts: 6
Joined: 2016/10/05 16:16:14

Re: I can't login from tty, but ssh and su login ok.

Post by SimbaD » 2016/10/18 16:45:13

Is aliases affect the login from the console?
There all records aliases root.
How can I enable debugging PAM?

Post Reply