Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1008822

Summary: Can't log in the system when use "fips=1" in the grub.conf
Product: Red Hat Enterprise Linux 6 Reporter: xingge <gxing>
Component: nss-softoknAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED DUPLICATE QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: acarter, borgan, dracut-maint-list, ebenes, jgalipea, kzak, ldai, liliu, mschmidt, qe-baseos-security, rrelyea, sforsber, tlavigne, tmraz
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-19 19:40:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1008513    
Bug Blocks: 843829    

Description xingge 2013-09-17 06:58:46 UTC 
Description of problem:
Can't log in the system when use "fips=1" in the grub.conf

Version-Release number of selected component (if applicable):
dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-fips-kernel-004-328.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.Install the rhel6.5-server-x86_64_20130913 system
2.Install the dracut-fips
[]#rpm -ivh hmaccalc-0.9.12-1.el6.x86_64.rpm
[]#rpm -ivh dracut-fips-004-328.el6.noarch.rpm

3.modify the /boot/grub/grub.conf to enable the fips mode
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-419.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-419.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet fips=1
	initrd /initramfs-2.6.32-419.el6.x86_64.img

Actual results:
After restart the system, I can't log in the system. After enter the username and password it says "Authentication failure".

Expected results:
I should log in the system successfully, like rhel6.5 server64 alpha 1.1

Additional info:
Comment 1 Li Bin Liu 2013-09-17 11:15:11 UTC 
This bug did not happen to rhel6.5 server64 alpha 1.1 but happens to the newer rhel6.5 build rhel6.5-server-x86_64_20130913, so I marked this bug as Regression. In addition, this bug blocked our Entitlement testing under the FIPS mode, hopefully it can be resolved ASAP, Thanks!

Regards,
Libin
Comment 3 Michal Schmidt 2013-09-17 14:43:53 UTC 
(In reply to xingge from comment #0)
> After restart the system, I can't log in the system. After enter the
> username and password it says "Authentication failure".

If the system booted as far as the login prompt, I do not think the bug is in dracut. If it were, I'd expect it to fail much earlier.

Or do you have a reason to believe dracut is to blame? Does it work if you downgrade dracut to the version from "rhel6.5 server64 alpha 1.1"?

Is interesting getting logged in /var/log/secure?
Comment 4 Harald Hoyer 2013-09-17 14:53:04 UTC 
To get a shell and the logs add "init=/bin/bash" to the kernel command line.

And no, it's _not_ a dracut bug.
Comment 6 Karel Zak 2013-09-17 17:41:52 UTC 
IMHO it's PAM/crypto issue.
Comment 7 Suzanne Forsberg 2013-09-17 17:44:49 UTC 
No idea if this is related, but see 
https://bugzilla.redhat.com/show_bug.cgi?id=1008513
Comment 8 Michal Schmidt 2013-09-17 17:45:22 UTC 
I was able to reproduce this. In /var/log/secure there is:

unix_chkpwd[2872]: password check failed for user (root)

I was able to make it work by downgrading some nss and nss-softokn packages:

Packages Altered:
    Downgrade  nss-3.14.3-37.el6.x86_64                    @/nss-3.14.3-37.el6.x86_64
    Downgraded     3.15.1-5.el6.x86_64                     @beaker-Server
    Downgrade  nss-softokn-3.14.3-5.el6.x86_64             @/nss-softokn-3.14.3-5.el6.x86_64
    Downgraded             3.14.3-6.el6.x86_64             @beaker-Server
    Erase      nss-softokn-fips-3.14.3-6.el6.x86_64        @beaker-Server
    Downgrade  nss-softokn-freebl-3.14.3-5.el6.x86_64      @/nss-softokn-freebl-3.14.3-5.el6.x86_64
    Downgraded                    3.14.3-6.el6.x86_64      @beaker-Server
    Erase      nss-softokn-freebl-fips-3.14.3-6.el6.x86_64 @beaker-Server
    Downgrade  nss-sysinit-3.14.3-37.el6.x86_64            @/nss-sysinit-3.14.3-37.el6.x86_64
    Downgraded             3.15.1-5.el6.x86_64             @beaker-Server
    Downgrade  nss-tools-3.14.3-37.el6.x86_64              @/nss-tools-3.14.3-37.el6.x86_64
    Downgraded           3.15.1-5.el6.x86_64               @beaker-Server

Then I tried to isolate it even further, but upgrading just nss-softokn back to the original version caused RPM to break and I could no longer install anything.
Reassigning to nss.
Comment 9 Elio Maldonado Batiz 2013-09-17 18:19:47 UTC 
This bug is very similar to Bug 1008513.
Comment 11 Bob Relyea 2013-09-18 16:20:54 UTC 
> Then I tried to isolate it even further, but upgrading just nss-softokn back
> to the original version caused RPM to break and I could no longer install
> anything.

> Reassigning to nss.

I'm moving this to softoken, because it's the most likely recent change to cause the issue, but we have to be careful about the above statement. Down grading NSS, and just updating nss-softokn will cause a problem because the nss-softokn-fips package would not be picked up, which would be required in this operation. Michal, did you install the nss-softokn-fips package?

bob
Comment 12 Bob Relyea 2013-09-18 22:17:05 UTC 
Theres a patch in bug 1008513 that should fix this issue.
Comment 13 Michal Schmidt 2013-09-19 13:32:34 UTC 
(In reply to Bob Relyea from comment #11)
> Downgrading NSS, and just updating nss-softokn will cause a problem because
> the nss-softokn-fips package would not be picked up, which would be required
> in this operation. Michal, did you install the nss-softokn-fips package?

No, I did not. I did just "yum update nss-softokn", which did not pull in any other dependencies to the yum transaction.
Comment 14 Elio Maldonado Batiz 2013-09-19 16:39:09 UTC 
Since nss requires nss-softon-fips, an update of nss brings in nss-sstokn-fips and also nss-softokn-freenl-fips.
Comment 15 Suzanne Forsberg 2013-09-19 19:40:22 UTC 

*** This bug has been marked as a duplicate of bug 1008513 ***