Bug 2162534
| Summary: | root: authentication failure but login succesful in VT | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | besser82, ipedrosa, tm |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-23 08:17:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Harald Reindl
2023-01-19 20:31:25 UTC
i guess https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory and https://bugzilla.redhat.com/show_bug.cgi?id=2136047 mangeled around with the config in bad ways copied /etc/pam.d/system-auth from a non-affected VM the whole pam config is another example after grub which boviously no human understands any longer ------------- WORKING CONFIG: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so password sufficient pam_unix.so yescrypt shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ------------- BROKEN CONFIG: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so yescrypt shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ------------- and why is there a "password-auth" with nearly the same content as "system-auth" [root@srv-rhsoft:/etc/pam.d]$ cat system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so password sufficient pam_unix.so yescrypt shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [root@srv-rhsoft:/etc/pam.d]$ cat password-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so yescrypt shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Hi Harald, As far as we noticed, the pam stack configuration is not standard/default, so it is out of our scope of action (not supportable). The recommendation is to double-check the changes you have done and validate what is creating this behaviour. Related to using authselect, its usage was discussed in a Fedora System-Wide Change and all questions were (or should) have been addressed there. If you want to raise concerns, please start a new discussion or reply on the related one. With that being said, there is nothing we can do here to help you, so we are closing this ticket as NOTABUG, feel free to reply with helpful comments or which will leverage any possible investigation. > The recommendation is to double-check the changes you
> have done and validate what is creating this behaviour.
that is nonsense - the configuration worked for years until you guys decided throw authselect to users which even UNINSTALLED it because you guys have NO BUSINESS TO PERMENENTLY MANGLE WITH MY CONFIGURATION - /etc is holy land of the admin
|