Can not login as any user in TTY console

suhas! · 06-30-2008, 05:43 AM

Hi All,

we have a Redhat Linux 9 box in our office. Somebody have played with that box and as a result no user is able to login to the box on any TTY console. When we put a user name to log in (root and non-root also), it doesnot ask for password, and simply login prompt appears again. Whereas I can log in as root user through ssh (pseudo terminal). I tail to /var/log/message and /var/log/secure to see what is prohibiting users from logging in to TTY console, but no log appears.

I have checked basic things like....
1) all terminals are allowed in /etc/securetty
2) permission of the /etc/securetty is 600 which should be
3) /etc/nologin file does not exist
4) root and other user account can login through ssh session
5) there is no setting in /etc/security/access.conf

What else I missed to check........ can anybody help me.......

Suhas

prik420 · 06-30-2008, 11:58 AM

when you ssh to the box, check if syslog is running:

/etc/int.d/syslogd status

start the service if it isn't:

/etc/init.d/syslogd start

check /var/log/secure too
check your pam configuration

btw, when u say somebody has played did u mean someone hacked the box?

check the command history of the user/s in the box, you might find something that would help u.

chrism01 · 06-30-2008, 08:57 PM

If you mean hacked, I'm not surprised if you've got the orig RH9 (Shrike?). Support for that was discontinued yrs ago, so its wide open to exploits.
Try RH Fedora 8 (9 just came out) which is free, or Centos, which is a free version of RH Enterprise Linux.
If you want to stick with what you've got & if you've got the time & expertise, you can try to fix it/make notes, but frankly a clean re-install is the only safe way (after backing up any key data).

suhas! · 07-02-2008, 12:44 AM

Hi All,

Thanks for your suggestions, The syslog service is running on the box and it is loggin all the login event from remote host through ssh in /var/log/secure but it is not loggin a single login attempt from TTY terminal.

And I dont mean to say that somebody has hacked the machine, but somebody working in my organization previously has done something nasty for some reason that has caused this thing.

I think I should work out on logs first which will give me direction to troubleshot the problem.

Regards

linuxlover.chaitanya · 07-02-2008, 12:50 AM

Just try single use mode and go through the /etc/passwd file.
It may have been changed. Or find out if there a file /etc/nologin.
If that file exists, delete it.

Tinkster · 07-02-2008, 01:11 AM

Have you had a look through /etc/login.defs?

Is the machine using pam for authentication?
If yes, look at pam.conf and/or pam.d/login ...

Cheers,
Tink

suhas! · 07-02-2008, 06:33 AM

Hi All,

Thanks for your response, the /etc/nologin file does not exist, and I see no problem in /etc/passwd as I am able to login through ssh from remote machine.

Following are the some file's output, I think they are ok.

# cat /etc/log.d/conf/services/pam.conf | grep -v ^#

Title = "pam"
LogFile = messages
*OnlyService = pam
*RemoveHeaders

# cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

What else it could be........

linuxlover.chaitanya · 07-02-2008, 06:59 AM

Is this line creating problems "auth required pam_nologin.so" ?
Try commenting this out.

prik420 · 07-03-2008, 12:03 PM

the line:
auth required /lib/security/pam_nologin.so

only checks for the existence of /etc/nologin and denies login if the user isn't root.

i'm still looking for workaround on this. since u said that local logins aren't being logged, u might wanna take a look at ur syslog config or paste it here.

another thing u can do is run sysreport and upload the report here, that would provide more info so we can further troubleshoot this.

ppl should know to never piss off those who administer your server

Tinkster · 07-03-2008, 01:05 PM

Quote:

Originally Posted by suhas!

Hi All,

Thanks for your response, the /etc/nologin file does not exist, and I see no problem in /etc/passwd as I am able to login through ssh from remote machine.

Following are the some file's output, I think they are ok.

What else it could be........ :(

And what about /etc/login.defs ...

sahil.jammu · 07-04-2008, 08:05 AM

Kindly paste the exact output of /etc/securetty
Sometimes the additional space put in there can cause such problems.

suhas! · 07-05-2008, 04:05 AM

Hi All,

Heres the output of both file.

#cat /etc/login.defs | grep -v ^#
MAIL_DIR /var/spool/mail

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

UID_MIN 500
UID_MAX 60000

GID_MIN 500
GID_MAX 60000

CREATE_HOME yes

# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

Regards,

Suhas

jschiwal · 07-05-2008, 05:14 AM

Try validating the package that supplies /etc/initab. Or just post yours so we can compare.