Modified /etc/pam.d/system-auth-local and get authentication failed
I've locked myself out of RHELv5 after modifying pam files under /etc/pam.d. I was trying to setup a 4 second delay if someone fails at logging in.
I've setup a 4 second delay under /etc/login.defs And then I've also dodified /etc/pam.d/system-auth-local with the following: Code:
auth required pam_access.so Once I've rebooted, I can type in the user name, however I don't get a chance to put in the password, I get authentication failed This is what the log looks like from /var/log/secure Code:
|
Quote:
Quote:
*Also if you don't have remote console or any other Out of Band access next time set an 'at' task to undo changes after say 5 minutes? That way you can test with less risk and automagically revert back. |
I'm using the STIG requirements put out from DISA to implement these changes to /etc/pam.d. One of the STIGs is advising to modify those files Vs /etc/pam.d/sshd.
Typically, it sounds like its better to modify sshd then the system-auth and system-auth-ac files for pam.d? |
Luckily this is only a test server (a VM actually).
My end goal is to fully STIG a RHEL5/RHEL6 server, convert to template and then deploy servers from there as needed. This is the text from the DISA STIG Quote:
I'm not to terribly familiar with PAM, so I'm learning. I also know that the STIGS aren't perfect either and sometime they way they are written, they have unintended consequences. |
Quote:
Quote:
Quote:
|
Right now I'm trying to STIG RHEL5 by hand. Once I get comfortable, then I will Bash script it out to automate it. The same with RHEL6.
Once I get something solid, I would love to share it with everyone here. Until then, I keep plugging away. What kind of advise can you offer for troubelshooting/modifying PAM files in the future? Again it was only a test machine. However I want to get this fully STIGGED and into production. Something that I can use. thanks |
So had a person on a gov-sec email list email me the following changes to make:
Confirm the following: Code:
Do the following: Code:
cd /etc/pam.d Add the following into both /etc/pam.d/system-auth-ac and /etc/pam.d/system-auth-local. Once doing that, run the following: /usr/sbin/authconfig --update Code:
#%PAM-1.1 Code:
grep -V UsePam /etc/ssh/sshd_config Confirm root permissions and 0644 on /etc/ssh/sshd_config and restart the sshd daemon. I'm not sure what all of the entries under the /etc/pam.d/system-auth-ac and /etc/pam.d/system-auth-local do. If anyone can point me in a direction where I can learn more about pam, what do to and what not to do and what to backup before trying anything. I would be grateful. thanks |
All times are GMT -5. The time now is 10:32 AM. |