PAM Help

General support questions
Post Reply
MHarmony
Posts: 1
Joined: 2019/07/02 17:16:34

PAM Help

Post by MHarmony » 2019/07/02 17:26:02

I'm configuring an ansible playbook to install Tableau Server for a customer. However, we had to apply some required STIG implementations and now the install is breaking due to a PAM issue. Installation is failing with the error message: "Authentication error. Incorrect username or password, or username not member of administrative group?". The install completes successfully before the PAM rules are applied.

I'm not an expert, or even knowledgeable really, when it comes to PAM and was hoping I could get some insight into why my local user is failing to authenticate. Below you can find the contents of the before/after states of /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac.

default password-auth-ac

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
modified password-auth-ac

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
default system-auth-ac

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
modified system-auth-ac

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
Top
hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:
Contact hunter86_bg

Re: PAM Help

Post by hunter86_bg » 2019/07/02 20:51:32

Yours have 'auth sufficient' while in the docs should be (lines 2 & 4):

Code: Select all

auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
...
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
Check Section 4.1.2
Top
Post Reply

Return to “CentOS 7 - General Support”