Bug 2228934

Summary: Using "pam_access", ssh login fails with this entry in /etc/security/access.conf "+:username:localhost server1.example.com"
Product: Red Hat Enterprise Linux 8 Reporter: Alok Sharma <alsharma>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: NEW --- QA Contact: Anuj Borah <aborah>
Severity: high Docs Contact:
Priority: high    
Version: 8.8CC: pbrezina
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alok Sharma 2023-08-03 17:06:33 UTC 
Description of problem:

Using "pam_access", ssh login failed with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1. On RHEL8.8 machine, enable "with-pamaccess" feature using authselect:
~~~~~
# authselect enable-feature with-pamaccess
~~~~~

2. Then configure  /etc/security/access.conf as below:
-------
+:username:localhost server1.example.com
-------

3. Try to login with the user .
~~~~
# ssh username@localhost

# ssh username.com
~~~~

4. It only works when below /etc/security/access.conf file configured as below:
-------
+:username:127.0.0.1 ::1 x.x.x.x
-------

*Actual IP-address is replaced with x.x.x.x

Actual results:

Login failed, as access denied in the account section.

Expected results:

Successful login using "pam_access". ssh login should work with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------


Additional info:

Reproduced as below on test-box:

[root@rhds12 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)

[root@rhds12 ~]# id test21
uid=1007(test21) gid=1007(test21) groups=1007(test21)


[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#"
+:root:ALL
+ : test19 : ALL
+:test21:localhost
-:ALL:ALL

[root@rhds12 ~]# hostname
rhds12.example.com

[root@rhds12 ~]# authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-pwhistory
- with-faillock
- with-pamaccess


[root@rhds12 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

x.x.x.x rhds12.example.com


=====================
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 
Connection closed by ::1 port 22

--------
[root@rhds12 ~]# tail -n 6 /var/log/secure
Aug  3 12:12:52 rhds12 sshd[2076290]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:12:52 rhds12 sshd[2076290]: Failed password for test21 from ::1 port 50230 ssh2
Aug  3 12:12:52 rhds12 sshd[2076290]: fatal: Access denied for user test21 by PAM account configuration [preauth]
Aug  3 12:13:45 rhds12 sshd[2076360]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:13:45 rhds12 sshd[2076360]: Failed password for test21 from ::1 port 56414 ssh2
Aug  3 12:13:45 rhds12 sshd[2076360]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------


- Now, replaced localhost with 127.0.0.1
----------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1
----------

- But still failed to login with localhost:
-----------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 
Connection closed by ::1 port 22
-----------------

-------
[root@rhds12 ~]# tail -n 3 /var/log/secure
Aug  3 12:17:15 rhds12 sshd[2076613]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:17:15 rhds12 sshd[2076613]: Failed password for test21 from ::1 port 36390 ssh2
Aug  3 12:17:15 rhds12 sshd[2076613]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------


- Now added ::1 (i.e IPv6 loopback) in /etc/security/access.conf:
------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1
------

- Tried to login and it worked fine:
------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 

There were 3 failed login attempts since the last successful login.
[test21@rhds12 ~]$ 
-------------
=======================


- Now added hostname of the machine, so that it can be accessed with hostname:
--------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 rhds12.example.com
--------

- But login failed:
-------
[root@rhds12 ~]# ssh test21.com
test21.com's password: 
Connection closed by x.x.x.x port 22
-------

------
Aug  3 12:24:39 rhds12 sshd[2077143]: pam_access(sshd:account): access denied for user `test21' from `x.x.x.x'
------


- Now added IP-address instead of hostname:
---------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 x.x.x.x
---------

- Tried to login and it worked fine when logged in with hostname:
--------
[root@rhds12 ~]# ssh test21.com
test21.com's password: 

There were 2 failed login attempts since the last successful login.
Last login: Thu Aug  3 12:20:06 2023 from ::1
[test21@rhds12 ~]$ 
---------
=============================