Bug 1633975

Summary: User cannot login to RHV-H if a security profile is applied during installation
Product: Red Hat Enterprise Virtualization Manager Reporter: nijin ashok <nashok>
Component: ovirt-hostAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Qin Yuan <qiyuan>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.6CC: cshao, dfediuck, huzhao, mtessun, qiyuan, sbonazzo, sgoodman, weiwang, yaniwang, ycui, yturgema
Target Milestone: ovirt-4.3.0   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-host-4.3.0-1 Doc Type: Bug Fix
Doc Text:
RHVH was missing a package named pam_pkcs11. Consequently, the rule for pam_pkcs11 in PAM is added, but the module does not exist, so users cannot login. The missing pam_pkcs11 package was added, and now users can login to RHVH if the correct security profile is applied.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-08 12:31:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1591693, 1653669    

Description nijin ashok 2018-09-28 08:56:37 UTC 
Description of problem:

If a security profile is selected during RHV-H installation, the user will not be able to login to the RHV-H server. It will not show password prompt after entering the username and will directly show "password incorrect" message.

Below line will be added to the /etc/pam.d/system-auth if a profile is applied.

auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

However, pam_pkcs11 package is not installed in the server. The user has to manually uncomment the line for the authentication to work.

The same issue is not observed in RHEL installation. 


Version-Release number of selected component (if applicable):

RHVH-4.2-20180910.2-RHVH-x86_64-dvd1.iso

How reproducible:

100%

Steps to Reproduce:


While installing RHV-H select security profile.
The user will not get a password prompt after entering the username.


Actual results:

Login is not working if a security profile is selected during installation.


Expected results:

Login should work.


Additional info:
Comment 1 Qin Yuan 2018-09-29 03:00:10 UTC 
QE can reproduce this bug.
Comment 2 Qin Yuan 2018-12-14 07:40:11 UTC 
Tested with RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso, selected "PCI-DSS v3" security policy profile on Anaconda GUI, after installation finished:
1) Can login to RHVH server
2) pam_pkcs11-0.6.2-30.el7.x86_64 is installed

But there is an error when login on the console:
dell-per515-02 login: root
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:212: ...  NSS Complete
DEBUG:pam_pkcs11.c:272: Is it a screen saver?
DEBUG:pam_pkcs11.c:287: explicit username = [root]
DEBUG:pam_pkcs11.c:315: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:237: Looking up module in list
DEBUG:pkcs11_lib.c:240: modList = 0x1964350 next = 0x0

DEBUG:pkcs11_lib.c:241: dllName= <null> 

DEBUG:pkcs11_lib.c:287: loading Module explictly, moduleSpec=<library="libcoolkeypk11.so" name="SmartCard"> module=libcoolkeypk11.so
DEBUG:pkcs11_lib.c:291: Failed to load SmartCard software Failure to load dynamic library.
ERROR:pam_pkcs11.c:318: load_pkcs11_module() failed:

No such error with rhel 7.6 when using the same security policy profile.
Comment 3 Qin Yuan 2018-12-16 10:25:06 UTC 
"PCI-DSS v3" security policy requires 4 packages to be installed, including pam_pkcs11, esc, libreswan and aide. esc requires coolkey.

pam_pkcs11 and aide are already included in RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso, so I tried to install esc and libreswan manually before configuring addons phase during RHVH installation, after installation finished, login to system on console, the "load_pkcs11_module() failed" error disappeared.

I checked all security policies in Anaconda SCAP security guide, different policy needs different packages. All together they need 9 packages:
pam_pkcs11
esc
libreswan
aide
tcp_wrappers
rsyslog
openssh-server
screen
dracut-fips

For the system installed via RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso(without manually install esc and libreswan), all of those packages are installed, except esc and libreswan.
Maybe it's better to include esc and libreswan in RHVH iso as well, though I'm not sure whether a hypervisor should support those security policies.
Comment 4 Yuval Turgeman 2018-12-16 12:05:01 UTC 
The problem with pulling esc is that it requires xulrunner, and this package pulls in a bunch of packages that are not relevant at all (X, mesa, alsa, etc..)
Comment 5 Qin Yuan 2018-12-18 02:10:54 UTC 
According to comment #2, the main issue of this bug, that user can't login to RHVH system when "PCI-DSS v3" security profile is selected during installation, has been fixed, so mark this bug to VERIFIED.

As to the "load_pkcs11_module() failed" error occurred during login on console, filed Bug 1660269 to track it.
Comment 6 Steve Goodman 2019-01-22 13:38:50 UTC 
Yuval, please confirm that this doc_text is correct:

RHVH was missing a package named pam_pkcs11. Consequently, the rule for pam_pkcs11 in PAM is added, but the module does not exist, so users cannot login. The missing pam_pkcs11 package was added, and now users can login to RHVH if the correct security profile is applied.
Comment 7 Yuval Turgeman 2019-01-28 10:58:28 UTC 
Looks good, Steve
Comment 9 errata-xmlrpc 2019-05-08 12:31:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1047