RH Login Problems

heals1ic · 09-29-2004, 06:19 AM

I have a RH 9 linux distro that has been working perfectly for quite a while. Unexpectedly when I start it up on RL5 and login through the GUI interface, I was unable to login through any of the user accounts setup on the machine including root.

I keep getting a popup windows stating that "authentication failed". This happens the same for all accounts. I also cannot access any files through samba now.

I have started the machine in RL1 and reset the root password and reboot again back into RL5 but still cannot login.

I could initially login to RL3 and manually start "startx" for an x windows session. But now even that login is refusing me.

I cannot workout why it is giving me so much trouble. I have run out of options within my knowledge.

Have I been hacked?

Does anybody have any ideas? Or if there is not enough info here let me know.

Cheers

Capt_Caveman · 09-29-2004, 06:13 PM

Try rebooting into run-level 1 again and verify the integrity of the packages (especially of the login and pam packages). You can use rpm -Va to verify all of them. Probably would be a good idea to run a scan with chkrootkit or rootkit hunter as well. If that still doesn't turn anything up, try rebooting the system using a "live" cd-based distro and then mount the hd read-only and perform checks of all the login related packages. Also make sure to check for any error messages in the system logs.

BTW with support for RH9 gone, have you been making sure to apply security patches on your own?

heals1ic · 09-29-2004, 06:40 PM

I was not aware that support for RH9 was gone.

Where has it gone?

Does this mean that the up2date service will not work anymore for the RHN?

I could never really get it working anyway as it kept returning a login error from RHN. This even though I could login to RHN through the web site using same credentials.

This would obviously mean that I was not up to date with security patches.

How do I get these securty patches? Are they similar to a service pack like windows or patches to individual packages?

I was just running rpm -Va from a rescue session on the original installation disk1 and I received a segmentation fault 20 seconds after scanning /etc/squirrelmail/config.php. This does not mean much to me in relation to login issues.

The scan will not move beyond that point.

Any ideas?

Capt_Caveman · 09-29-2004, 06:54 PM

I was not aware that support for RH9 was gone. Where has it gone?
Redhat decided to focus on their Enterprise Editions and offering free versions didn't fit into their business model.

Does this mean that the up2date service will not work anymore for the RHN?
No, up2date won't work any longer with RH9

This would obviously mean that I was not up to date with security patches.
That's not good. Doesn't guarantee a compromise, but it's still not good.

How do I get these securty patches? Are they similar to a service pack like windows or patches to individual packages?
Duke Universities YUM has a RH9 update repository, Progeny offers a fee-based update service or you can manually download files directly from the software distributor.

I was just running rpm -Va from a rescue session on the original installation disk1 and I received a segmentation fault 20 seconds after scanning /etc/squirrelmail/config.php. This does not mean much to me in relation to login issues. The scan will not move beyond that point. Any ideas?
Try just scanning the login and PAM related rpms. To scan individual files, use rpm -V package_name.

heals1ic · 09-29-2004, 07:27 PM

Scanned pam and there seemed to be no issues there. If there were how could I tell?

Sorry to have you baby me through this. I am out of my depth at this stage.

What other login packages could I target I am not familiar with any other packages other tham pam?

I realy appreciate your help here as I need this system up and running asap as I run a small web design company and I use this server to host my web sites while I am coding them.

At the moment I cannot produce anything until I get this server working, plus I have alot of work on it. Since this issue I have been looking into backup options so I can easily restore a working system if something like this happens again. I think amanda seems to be the main backup software for linux. I don't have a tap drive but hopefully I can write to CD or DVD.

Much appreciating your help!!!!

Capt_Caveman · 09-29-2004, 09:11 PM

If the package passes the verification check, there will be no output (it will just return to the command prompt after a few seconds of checking). If the package fails, it will let you know and will output what part of the verification test failed (timestamps, ownership, md5sum, etc). The /bin/login file is usually part of util-linux. You can use the rpm query option to find what version and what rpm provides it:

rpm -q --whatprovides /bin/login

I'd also check the SysVinit package. Given that the system isn't patched, you should absolutely run a check with chkrootkit and/or rootkit hunter as well.

In terms of future directions, depending on what you find, you may just want to do a full re-install from scatch with a distro that is fully supported. The backup strategy is definitely a good idea (even doing something like a redundant backup might be advisable)

heals1ic · 09-29-2004, 10:33 PM

Thanks for the advice

Ran both chkrootkit and rootkit hunter. Hunter found some vulnerabilities but that is all.

Looks like a reinstall at this point. Unless there are any more options?

Is there a way to install over the top of this installation and retain my settings for my major apps such as PHP, mysql (plus databases), samba, apache etc?

Capt_Caveman · 09-29-2004, 11:55 PM

Hunter found some vulnerabilities but that is all.
Could you post the message?

Looking back at your original post, were you doing anything that might have mangled the accounts, password files, etc? Do the logs indicate any errors?

You might be able to backup some of the config files as long as the versions are the same or if the config files haven't changed between versions. Though if you do backup any files for re-use (including any website files) make sure to visually verify that they haven't been altered. Image files should at least be scanned with some kind of AV to make sure they're clean.

heals1ic · 09-30-2004, 01:32 AM

I was just going through the log files in particular the secure.log file and I think I may have found the problem. (The PC I have linux installed also has windows Server 2003 and Windows XP pro so I used a program called Captain Nemo to access the linux partitions from within WinXP.)

Here is the relevent log file:

Code:

Sep 27 00:29:56 linux1 sshd[3448]: Received signal 15; terminating.
Sep 27 09:19:35 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 27 11:07:37 linux1 sshd[3448]: Received signal 15; terminating.
Sep 27 11:25:26 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 28 01:18:18 linux1 sshd[3448]: Received signal 15; terminating.
Sep 28 09:20:59 linux1 sshd[3449]: Server listening on 0.0.0.0 port 22.
Sep 28 11:33:16 linux1 sshd[3449]: Received signal 15; terminating.
Sep 28 11:34:44 linux1 sshd[3450]: Server listening on 0.0.0.0 port 22.
Sep 28 16:51:05 linux1 sshd[3450]: Received signal 15; terminating.
Sep 28 16:55:08 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 28 17:15:08 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : gytre
Sep 28 17:17:14 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : k
Sep 28 17:17:29 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : alex
Sep 28 17:31:17 linux1 sshd[3446]: Received signal 15; terminating.
Sep 28 17:32:36 linux1 sshd[3355]: Server listening on 0.0.0.0 port 22.
Sep 28 17:32:56 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 17:32:56 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 17:33:19 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 17:33:19 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 17:34:29 linux1 sshd[3355]: Received signal 15; terminating.
Sep 28 17:35:56 linux1 sshd[3458]: Server listening on 0.0.0.0 port 22.
Sep 28 17:37:13 linux1 login: pam_ldap: ldap_search_s No such object
Sep 28 18:03:59 linux1 xinetd[3472]: START: sgi_fam pid=3815 from=<no address>
Sep 28 18:06:50 linux1 sshd[3458]: Received signal 15; terminating.
Sep 28 18:08:17 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 28 19:53:10 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : dale
Sep 28 19:53:37 linux1 last message repeated 2 times
Sep 28 19:53:56 linux1 gdm-binary[3714]: pam_smb: Incorrect NT password for username : herty
Sep 28 19:54:17 linux1 sshd[3446]: Received signal 15; terminating.
Sep 28 20:03:12 linux1 sshd[3460]: Server listening on 0.0.0.0 port 22.
Sep 28 20:03:34 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 28 20:03:34 linux1 login: Authentication service cannot retrieve authentication info.
Sep 28 20:04:20 linux1 sshd[3460]: Received signal 15; terminating.
Sep 28 20:05:53 linux1 sshd[3432]: Server listening on 0.0.0.0 port 22.
Sep 28 20:13:19 linux1 login: pam_ldap: ldap_search_s No such object
Sep 28 22:08:00 linux1 sshd[3432]: Received signal 15; terminating.
Sep 28 22:09:25 linux1 sshd[3446]: Server listening on 0.0.0.0 port 22.
Sep 29 00:16:08 linux1 sshd[3446]: Received signal 15; terminating.
Sep 29 09:01:28 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 29 09:05:58 linux1 sshd[3448]: Received signal 15; terminating.
Sep 29 09:07:24 linux1 sshd[3434]: Server listening on 0.0.0.0 port 22.
Sep 29 09:11:13 linux1 login: pam_ldap: ldap_search_s No such object
Sep 29 09:11:29 linux1 xinetd[3449]: START: sgi_fam pid=3754 from=<no address>
Sep 29 09:30:55 linux1 sshd[3434]: Received signal 15; terminating.
Sep 29 09:32:22 linux1 sshd[3448]: Server listening on 0.0.0.0 port 22.
Sep 29 09:35:28 linux1 sshd[3448]: Received signal 15; terminating.
Sep 29 09:36:54 linux1 sshd[3434]: Server listening on 0.0.0.0 port 22.
Sep 29 09:37:52 linux1 login: pam_ldap: ldap_search_s No such object
Sep 29 09:38:12 linux1 xinetd[3449]: START: sgi_fam pid=3748 from=<no address>
Sep 29 17:34:05 linux1 sshd[3434]: Received signal 15; terminating.
Sep 29 17:35:56 linux1 sshd[3565]: Server listening on 0.0.0.0 port 22.
Sep 29 17:36:27 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:36:27 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:36:51 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:36:51 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:37:04 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:37:04 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:37:10 linux1 login[3843]: pam_smb: Incorrect NT password for username : root
Sep 29 17:37:36 linux1 sshd[3565]: Received signal 15; terminating.
Sep 29 17:51:27 linux1 sshd[3563]: Server listening on 0.0.0.0 port 22.
Sep 29 17:52:01 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:52:01 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:52:09 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:52:09 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:52:22 linux1 login[3840]: pam_smb: Incorrect NT password for username : root
Sep 29 17:52:33 linux1 login[3840]: pam_smb: Incorrect NT password for username : dale
Sep 29 17:52:40 linux1 login[3840]: pam_smb: Incorrect NT password for username : 
Sep 29 17:52:44 linux1 login[3840]: pam_smb: Incorrect NT password for username : 
Sep 29 17:53:01 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 17:53:01 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 17:53:14 linux1 login[3846]: pam_smb: Incorrect NT password for username : ROOT
Sep 29 17:53:40 linux1 login[3848]: pam_smb: Incorrect NT password for username : root
Sep 29 18:16:28 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 18:16:28 linux1 login: Authentication service cannot retrieve authentication info.
Sep 29 18:34:59 linux1 sshd[3563]: Received signal 15; terminating.
Sep 29 18:36:48 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:10:13 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:11:52 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:14:30 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:16:15 linux1 sshd[3564]: Server listening on 0.0.0.0 port 22.
Sep 29 21:19:44 linux1 sshd[3564]: Received signal 15; terminating.
Sep 29 21:22:30 linux1 sshd[3563]: Server listening on 0.0.0.0 port 22.
Sep 29 22:34:44 linux1 login: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 29 22:34:44 linux1 login: Authentication service cannot retrieve authentication info.
Sep 30 00:42:41 linux1 sshd[3563]: Received signal 15; terminating.

I am suspicious of the

Code:

 
pam_ldap: ldap_simple_bind Can't contact LDAP server

as I am not running an LDAP server as far as I am aware.

Also

Code:

 
sshd[3564]: Server listening on 0.0.0.0 port 22

doesn't seem right as well.

What do you think?

Capt_Caveman · 09-30-2004, 08:30 AM

You might want to try commenting out any of the pam_ldap entries in the /etc/pam.d/login and /etc/pam.d/system-auth files. You can also try adding authinfo_unavail=ignore to the account entry of the system-auth files as well. If that doesn't work, post the contents of those 2 files. The ssh message is normal.

heals1ic · 09-30-2004, 05:59 PM

Here are the 2 files:

/etc/pam.d/login

Code:

#%PAM-1.0
auth       required	pam_securetty.so
auth       required	pam_stack.so service=system-auth
auth       required	pam_nologin.so
account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
session    required	pam_stack.so service=system-auth
session    optional	pam_console.so

/etc/pam.d/system-auth

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

As you can see no pam_ldap entries in the login file.

For the system-auth file shall I add the "authinfo_unavail=ignore" to the accounts section and comment out the 3 lines containing pam_ldap?

Capt_Caveman · 09-30-2004, 07:22 PM

I'd comment them out completely and if that doesn't work, then try adding the "authinfo_unavail=ignore" to the account entry inside the brackets, like:

Code:

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so

heals1ic · 09-30-2004, 08:20 PM

------ !!!!!!!! SUCCESS !!!!!!!! --------

After adding the "authinfo_unavail=ignore" to the specified line.

You saved my bacon!!

I will now look at following some of the advice listed from your footer link"Security References & HOWTOs". Some interesting and probably essential reading to be done. Your help has enabled me to learn more about my system, thanks.

I will have a look at the updates for my packages from now on.

Much much appreciated for all your help.

Thanks for sticking with me.

Cheers. ;-)