1008822 – Can't log in the system when use "fips=1" in the grub.conf

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1008822 - Can't log in the system when use "fips=1" in the grub.conf

Summary: Can't log in the system when use "fips=1" in the grub.conf

Keywords:
Status:	CLOSED DUPLICATE of bug 1008513
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss-softokn
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:	1008513
Blocks:	843829
TreeView+	depends on / blocked

Reported:	2013-09-17 06:58 UTC by xingge
Modified:	2016-09-20 02:28 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-19 19:40:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description xingge 2013-09-17 06:58:46 UTC

Description of problem:
Can't log in the system when use "fips=1" in the grub.conf

Version-Release number of selected component (if applicable):
dracut-004-328.el6.noarch
dracut-fips-004-328.el6.noarch
dracut-fips-kernel-004-328.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.Install the rhel6.5-server-x86_64_20130913 system
2.Install the dracut-fips
[]#rpm -ivh hmaccalc-0.9.12-1.el6.x86_64.rpm
[]#rpm -ivh dracut-fips-004-328.el6.noarch.rpm

3.modify the /boot/grub/grub.conf to enable the fips mode
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-419.el6.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32-419.el6.x86_64 ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet fips=1
	initrd /initramfs-2.6.32-419.el6.x86_64.img

Actual results:
After restart the system, I can't log in the system. After enter the username and password it says "Authentication failure".

Expected results:
I should log in the system successfully, like rhel6.5 server64 alpha 1.1

Additional info:

Comment 1 Li Bin Liu 2013-09-17 11:15:11 UTC

This bug did not happen to rhel6.5 server64 alpha 1.1 but happens to the newer rhel6.5 build rhel6.5-server-x86_64_20130913, so I marked this bug as Regression. In addition, this bug blocked our Entitlement testing under the FIPS mode, hopefully it can be resolved ASAP, Thanks!

Regards,
Libin

Comment 3 Michal Schmidt 2013-09-17 14:43:53 UTC

(In reply to xingge from comment #0)
> After restart the system, I can't log in the system. After enter the
> username and password it says "Authentication failure".

If the system booted as far as the login prompt, I do not think the bug is in dracut. If it were, I'd expect it to fail much earlier.

Or do you have a reason to believe dracut is to blame? Does it work if you downgrade dracut to the version from "rhel6.5 server64 alpha 1.1"?

Is interesting getting logged in /var/log/secure?

Comment 4 Harald Hoyer 2013-09-17 14:53:04 UTC

To get a shell and the logs add "init=/bin/bash" to the kernel command line.

And no, it's _not_ a dracut bug.

Comment 6 Karel Zak 2013-09-17 17:41:52 UTC

IMHO it's PAM/crypto issue.

Comment 7 Suzanne Forsberg 2013-09-17 17:44:49 UTC

No idea if this is related, but see 
https://bugzilla.redhat.com/show_bug.cgi?id=1008513

Comment 8 Michal Schmidt 2013-09-17 17:45:22 UTC

I was able to reproduce this. In /var/log/secure there is:

unix_chkpwd[2872]: password check failed for user (root)

I was able to make it work by downgrading some nss and nss-softokn packages:

Packages Altered:
    Downgrade  nss-3.14.3-37.el6.x86_64                    @/nss-3.14.3-37.el6.x86_64
    Downgraded     3.15.1-5.el6.x86_64                     @beaker-Server
    Downgrade  nss-softokn-3.14.3-5.el6.x86_64             @/nss-softokn-3.14.3-5.el6.x86_64
    Downgraded             3.14.3-6.el6.x86_64             @beaker-Server
    Erase      nss-softokn-fips-3.14.3-6.el6.x86_64        @beaker-Server
    Downgrade  nss-softokn-freebl-3.14.3-5.el6.x86_64      @/nss-softokn-freebl-3.14.3-5.el6.x86_64
    Downgraded                    3.14.3-6.el6.x86_64      @beaker-Server
    Erase      nss-softokn-freebl-fips-3.14.3-6.el6.x86_64 @beaker-Server
    Downgrade  nss-sysinit-3.14.3-37.el6.x86_64            @/nss-sysinit-3.14.3-37.el6.x86_64
    Downgraded             3.15.1-5.el6.x86_64             @beaker-Server
    Downgrade  nss-tools-3.14.3-37.el6.x86_64              @/nss-tools-3.14.3-37.el6.x86_64
    Downgraded           3.15.1-5.el6.x86_64               @beaker-Server

Then I tried to isolate it even further, but upgrading just nss-softokn back to the original version caused RPM to break and I could no longer install anything.
Reassigning to nss.

Comment 9 Elio Maldonado Batiz 2013-09-17 18:19:47 UTC

This bug is very similar to Bug 1008513.

Comment 11 Bob Relyea 2013-09-18 16:20:54 UTC

> Then I tried to isolate it even further, but upgrading just nss-softokn back
> to the original version caused RPM to break and I could no longer install
> anything.

> Reassigning to nss.

I'm moving this to softoken, because it's the most likely recent change to cause the issue, but we have to be careful about the above statement. Down grading NSS, and just updating nss-softokn will cause a problem because the nss-softokn-fips package would not be picked up, which would be required in this operation. Michal, did you install the nss-softokn-fips package?

bob

Comment 12 Bob Relyea 2013-09-18 22:17:05 UTC

Theres a patch in bug 1008513 that should fix this issue.

Comment 13 Michal Schmidt 2013-09-19 13:32:34 UTC

(In reply to Bob Relyea from comment #11)
> Downgrading NSS, and just updating nss-softokn will cause a problem because
> the nss-softokn-fips package would not be picked up, which would be required
> in this operation. Michal, did you install the nss-softokn-fips package?

No, I did not. I did just "yum update nss-softokn", which did not pull in any other dependencies to the yum transaction.

Comment 14 Elio Maldonado Batiz 2013-09-19 16:39:09 UTC

Since nss requires nss-softon-fips, an update of nss brings in nss-sstokn-fips and also nss-softokn-freenl-fips.

Comment 15 Suzanne Forsberg 2013-09-19 19:40:22 UTC


*** This bug has been marked as a duplicate of bug 1008513 ***

Note You need to log in before you can comment on or make changes to this bug.