Description of problem: If a security profile is selected during RHV-H installation, the user will not be able to login to the RHV-H server. It will not show password prompt after entering the username and will directly show "password incorrect" message. Below line will be added to the /etc/pam.d/system-auth if a profile is applied. auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug However, pam_pkcs11 package is not installed in the server. The user has to manually uncomment the line for the authentication to work. The same issue is not observed in RHEL installation. Version-Release number of selected component (if applicable): RHVH-4.2-20180910.2-RHVH-x86_64-dvd1.iso How reproducible: 100% Steps to Reproduce: While installing RHV-H select security profile. The user will not get a password prompt after entering the username. Actual results: Login is not working if a security profile is selected during installation. Expected results: Login should work. Additional info:
QE can reproduce this bug.
Tested with RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso, selected "PCI-DSS v3" security policy profile on Anaconda GUI, after installation finished: 1) Can login to RHVH server 2) pam_pkcs11-0.6.2-30.el7.x86_64 is installed But there is an error when login on the console: dell-per515-02 login: root DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:212: ... NSS Complete DEBUG:pam_pkcs11.c:272: Is it a screen saver? DEBUG:pam_pkcs11.c:287: explicit username = [root] DEBUG:pam_pkcs11.c:315: loading pkcs #11 module... DEBUG:pkcs11_lib.c:237: Looking up module in list DEBUG:pkcs11_lib.c:240: modList = 0x1964350 next = 0x0 DEBUG:pkcs11_lib.c:241: dllName= <null> DEBUG:pkcs11_lib.c:287: loading Module explictly, moduleSpec=<library="libcoolkeypk11.so" name="SmartCard"> module=libcoolkeypk11.so DEBUG:pkcs11_lib.c:291: Failed to load SmartCard software Failure to load dynamic library. ERROR:pam_pkcs11.c:318: load_pkcs11_module() failed: No such error with rhel 7.6 when using the same security policy profile.
"PCI-DSS v3" security policy requires 4 packages to be installed, including pam_pkcs11, esc, libreswan and aide. esc requires coolkey. pam_pkcs11 and aide are already included in RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso, so I tried to install esc and libreswan manually before configuring addons phase during RHVH installation, after installation finished, login to system on console, the "load_pkcs11_module() failed" error disappeared. I checked all security policies in Anaconda SCAP security guide, different policy needs different packages. All together they need 9 packages: pam_pkcs11 esc libreswan aide tcp_wrappers rsyslog openssh-server screen dracut-fips For the system installed via RHVH-4.3-20181210.0-RHVH-x86_64-dvd1.iso(without manually install esc and libreswan), all of those packages are installed, except esc and libreswan. Maybe it's better to include esc and libreswan in RHVH iso as well, though I'm not sure whether a hypervisor should support those security policies.
The problem with pulling esc is that it requires xulrunner, and this package pulls in a bunch of packages that are not relevant at all (X, mesa, alsa, etc..)
According to comment #2, the main issue of this bug, that user can't login to RHVH system when "PCI-DSS v3" security profile is selected during installation, has been fixed, so mark this bug to VERIFIED. As to the "load_pkcs11_module() failed" error occurred during login on console, filed Bug 1660269 to track it.
Yuval, please confirm that this doc_text is correct: RHVH was missing a package named pam_pkcs11. Consequently, the rule for pam_pkcs11 in PAM is added, but the module does not exist, so users cannot login. The missing pam_pkcs11 package was added, and now users can login to RHVH if the correct security profile is applied.
Looks good, Steve
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:1047