Hide Forgot
Description of problem: Can't log in the system when use "fips=1" in the grub.conf Version-Release number of selected component (if applicable): dracut-004-328.el6.noarch dracut-fips-004-328.el6.noarch dracut-fips-kernel-004-328.el6.noarch How reproducible: always Steps to Reproduce: 1.Install the rhel6.5-server-x86_64_20130913 system 2.Install the dracut-fips []#rpm -ivh hmaccalc-0.9.12-1.el6.x86_64.rpm []#rpm -ivh dracut-fips-004-328.el6.noarch.rpm 3.modify the /boot/grub/grub.conf to enable the fips mode default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux (2.6.32-419.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-419.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet fips=1 initrd /initramfs-2.6.32-419.el6.x86_64.img Actual results: After restart the system, I can't log in the system. After enter the username and password it says "Authentication failure". Expected results: I should log in the system successfully, like rhel6.5 server64 alpha 1.1 Additional info:
This bug did not happen to rhel6.5 server64 alpha 1.1 but happens to the newer rhel6.5 build rhel6.5-server-x86_64_20130913, so I marked this bug as Regression. In addition, this bug blocked our Entitlement testing under the FIPS mode, hopefully it can be resolved ASAP, Thanks! Regards, Libin
(In reply to xingge from comment #0) > After restart the system, I can't log in the system. After enter the > username and password it says "Authentication failure". If the system booted as far as the login prompt, I do not think the bug is in dracut. If it were, I'd expect it to fail much earlier. Or do you have a reason to believe dracut is to blame? Does it work if you downgrade dracut to the version from "rhel6.5 server64 alpha 1.1"? Is interesting getting logged in /var/log/secure?
To get a shell and the logs add "init=/bin/bash" to the kernel command line. And no, it's _not_ a dracut bug.
IMHO it's PAM/crypto issue.
No idea if this is related, but see https://bugzilla.redhat.com/show_bug.cgi?id=1008513
I was able to reproduce this. In /var/log/secure there is: unix_chkpwd[2872]: password check failed for user (root) I was able to make it work by downgrading some nss and nss-softokn packages: Packages Altered: Downgrade nss-3.14.3-37.el6.x86_64 @/nss-3.14.3-37.el6.x86_64 Downgraded 3.15.1-5.el6.x86_64 @beaker-Server Downgrade nss-softokn-3.14.3-5.el6.x86_64 @/nss-softokn-3.14.3-5.el6.x86_64 Downgraded 3.14.3-6.el6.x86_64 @beaker-Server Erase nss-softokn-fips-3.14.3-6.el6.x86_64 @beaker-Server Downgrade nss-softokn-freebl-3.14.3-5.el6.x86_64 @/nss-softokn-freebl-3.14.3-5.el6.x86_64 Downgraded 3.14.3-6.el6.x86_64 @beaker-Server Erase nss-softokn-freebl-fips-3.14.3-6.el6.x86_64 @beaker-Server Downgrade nss-sysinit-3.14.3-37.el6.x86_64 @/nss-sysinit-3.14.3-37.el6.x86_64 Downgraded 3.15.1-5.el6.x86_64 @beaker-Server Downgrade nss-tools-3.14.3-37.el6.x86_64 @/nss-tools-3.14.3-37.el6.x86_64 Downgraded 3.15.1-5.el6.x86_64 @beaker-Server Then I tried to isolate it even further, but upgrading just nss-softokn back to the original version caused RPM to break and I could no longer install anything. Reassigning to nss.
This bug is very similar to Bug 1008513.
> Then I tried to isolate it even further, but upgrading just nss-softokn back > to the original version caused RPM to break and I could no longer install > anything. > Reassigning to nss. I'm moving this to softoken, because it's the most likely recent change to cause the issue, but we have to be careful about the above statement. Down grading NSS, and just updating nss-softokn will cause a problem because the nss-softokn-fips package would not be picked up, which would be required in this operation. Michal, did you install the nss-softokn-fips package? bob
Theres a patch in bug 1008513 that should fix this issue.
(In reply to Bob Relyea from comment #11) > Downgrading NSS, and just updating nss-softokn will cause a problem because > the nss-softokn-fips package would not be picked up, which would be required > in this operation. Michal, did you install the nss-softokn-fips package? No, I did not. I did just "yum update nss-softokn", which did not pull in any other dependencies to the yum transaction.
Since nss requires nss-softon-fips, an update of nss brings in nss-sstokn-fips and also nss-softokn-freenl-fips.
*** This bug has been marked as a duplicate of bug 1008513 ***