Bug 2228934 - Using "pam_access", ssh login fails with this entry in /etc/security/access.conf "+:username:localhost server1.example.com"
Summary: Using "pam_access", ssh login fails with this entry in /etc/security/access.c...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pam
Version: 8.8
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Iker Pedrosa
QA Contact: Anuj Borah
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-03 17:06 UTC by Alok Sharma
Modified: 2023-08-07 12:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-164411 0 None None None 2023-08-03 17:07:02 UTC
Red Hat Issue Tracker SSSD-6556 0 None None None 2023-08-04 12:46:02 UTC

Description Alok Sharma 2023-08-03 17:06:33 UTC 
Description of problem:

Using "pam_access", ssh login failed with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1. On RHEL8.8 machine, enable "with-pamaccess" feature using authselect:
~~~~~
# authselect enable-feature with-pamaccess
~~~~~

2. Then configure  /etc/security/access.conf as below:
-------
+:username:localhost server1.example.com
-------

3. Try to login with the user .
~~~~
# ssh username@localhost

# ssh username.com
~~~~

4. It only works when below /etc/security/access.conf file configured as below:
-------
+:username:127.0.0.1 ::1 x.x.x.x
-------

*Actual IP-address is replaced with x.x.x.x

Actual results:

Login failed, as access denied in the account section.

Expected results:

Successful login using "pam_access". ssh login should work with below entry in /etc/security/access.conf:
-------
+:username:localhost server1.example.com
-------


Additional info:

Reproduced as below on test-box:

[root@rhds12 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)

[root@rhds12 ~]# id test21
uid=1007(test21) gid=1007(test21) groups=1007(test21)


[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#"
+:root:ALL
+ : test19 : ALL
+:test21:localhost
-:ALL:ALL

[root@rhds12 ~]# hostname
rhds12.example.com

[root@rhds12 ~]# authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-pwhistory
- with-faillock
- with-pamaccess


[root@rhds12 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

x.x.x.x rhds12.example.com


=====================
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 
Connection closed by ::1 port 22

--------
[root@rhds12 ~]# tail -n 6 /var/log/secure
Aug  3 12:12:52 rhds12 sshd[2076290]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:12:52 rhds12 sshd[2076290]: Failed password for test21 from ::1 port 50230 ssh2
Aug  3 12:12:52 rhds12 sshd[2076290]: fatal: Access denied for user test21 by PAM account configuration [preauth]
Aug  3 12:13:45 rhds12 sshd[2076360]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:13:45 rhds12 sshd[2076360]: Failed password for test21 from ::1 port 56414 ssh2
Aug  3 12:13:45 rhds12 sshd[2076360]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------


- Now, replaced localhost with 127.0.0.1
----------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1
----------

- But still failed to login with localhost:
-----------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 
Connection closed by ::1 port 22
-----------------

-------
[root@rhds12 ~]# tail -n 3 /var/log/secure
Aug  3 12:17:15 rhds12 sshd[2076613]: pam_access(sshd:account): access denied for user `test21' from `::1'
Aug  3 12:17:15 rhds12 sshd[2076613]: Failed password for test21 from ::1 port 36390 ssh2
Aug  3 12:17:15 rhds12 sshd[2076613]: fatal: Access denied for user test21 by PAM account configuration [preauth]
-------


- Now added ::1 (i.e IPv6 loopback) in /etc/security/access.conf:
------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1
------

- Tried to login and it worked fine:
------------
[root@rhds12 ~]# ssh test21@localhost
test21@localhost's password: 

There were 3 failed login attempts since the last successful login.
[test21@rhds12 ~]$ 
-------------
=======================


- Now added hostname of the machine, so that it can be accessed with hostname:
--------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 rhds12.example.com
--------

- But login failed:
-------
[root@rhds12 ~]# ssh test21.com
test21.com's password: 
Connection closed by x.x.x.x port 22
-------

------
Aug  3 12:24:39 rhds12 sshd[2077143]: pam_access(sshd:account): access denied for user `test21' from `x.x.x.x'
------


- Now added IP-address instead of hostname:
---------
[root@rhds12 ~]# cat  /etc/security/access.conf  | grep -v -e "^#" | grep test21
+:test21:127.0.0.1 ::1 x.x.x.x
---------

- Tried to login and it worked fine when logged in with hostname:
--------
[root@rhds12 ~]# ssh test21.com
test21.com's password: 

There were 2 failed login attempts since the last successful login.
Last login: Thu Aug  3 12:20:06 2023 from ::1
[test21@rhds12 ~]$ 
---------
=============================
Note You need to log in before you can comment on or make changes to this bug.