FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 02-16-2011, 11:50 AM
Nico Kadel-Garcia
 
Default Authentication Problems

On Wed, Feb 16, 2011 at 7:43 AM, James Bensley <jwbensley@gmail.com> wrote:
> On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel@gmail.com> wrote:
>>
>> Uh-oh. Has your developer, or you, been editing the /etc/passwd,
>> /etc/shadow, /etc/group, or /etc/gshadow files manually?
>
> Nope.
>
>> And do you
>> use NIS or LDAP for authentication?
>
> Nope.
>
>> And this is a publicly exposed
>> webserver, right? How fast can you rebuild it if it's been rootkitted?
>
> How long is a peice of string? As quick as I can reupload the data, but
> thats another issue for another day.
>
>> Check the /etc/shadow and /etc/group for consistent numbers of
>> entries, and /etc/group and /etc/gshadow.
>
> Do you mean duplicate entries? If so there are none of those.

No, I mean the sam enumber of entries.

wc /etc/shadow /etc/passwd
cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c

And actually go line by line down these files, checking for matching
usernames, correct layout of ':' separated entries, correct numbers of
entries, and blank lines. I've seen serous problems where one or ther
other of these files were corrupted by something, especially badly
written installer scripts that only edited /etc/passwd directly and
ignored /etc/shadow, or which mishandled "$" entries in newly created
encrypted passwords.

>> Do you have other users who
>> can still log in or not?
>
> There is only the root and web dev user on this box.
>
> Thanks for your input Nico
>
> --James. (This email was sent from a mobile device)

Are you *sure*? Can you back this thing up for review and rebuilding?
It might be safest to image it for analysis and simply rebuild it.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 11:59 AM
David Sommerseth
 
Default Authentication Problems

On 16/02/11 13:28, James Bensley wrote:
> Hi List,
>
> We have a CentOS VPS running a web site in a DC far away. The chap that
> dev's this site told me he couldn't SFTP in yesterday, his password was
> being rejected (I went to his desk to confirm and saw it was telling him
> the password was incorrect but neither him nor me had changed it and we are
> the only two with access to this VPS). So I logged in as root and reset his
> password, be he still couldn't log in (same problem, claiming the password
> was wrong).
>
> [root@server ~]# passwd webdevuser
> Changing password for user webdevuser.
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updates successfully.
>
> I tried to SSH in as the web dev user and it wouldn't let me in. Returning
> back to my root console window;
>
> [root@server ~]# su - webdevuser
> [webdevuser@server ~]# passwd
> Changing password for user webdevuser.
> Changing password for webdevuser.
> (current) UNIX password:
> passwd: Authentication token manipulation error
>
> Firstly; I am stracthing my head as to why his password was no longer
> working in the first place?
>
> Secondly; Why I can't reset it?
>
> Googling around many people suggest there is a discrepancy between the
> /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using
> pwconv to recreate shadow and the same for /etc/groups, deleting gshadow
> recreating it with grpconv will solve the problem but I still can't login
> as the web dev user.
>
> Any ideas anyone?

- Could the account have become locked somehow? (passwd -u $user) Or
could the account have become expired?

- Are the permissions strict on the users ~/.ssh? (0700 on the directory,
and 0600 on any files inside that directory - like authorized_keys ...)

- Is SELinux in Enforced mode and are the SELinux file context correct on
/home? (restorecon -rv /home)


Also double check /var/log/messages, /var/log/secure and
/var/log/audit/audit.log carefully when trying to log in as that user.


kind regards,

David Sommerseth

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 12:08 PM
Kwan Lowe
 
Default Authentication Problems

On Wed, Feb 16, 2011 at 7:28 AM, James Bensley <jwbensley@gmail.com> wrote:

> [root@server ~]# su - webdevuser
> [webdevuser@server ~]# passwd
> Changing password for user webdevuser.
> Changing password for webdevuser.
> (current) UNIX password:
> passwd: Authentication token manipulation error

A lot of things can cause this, including a full /var filesystem :/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:13 PM
James Bensley
 
Default Authentication Problems

Thanks to all for your various replies....

On 16 February 2011 12:50, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
>>> Check the /etc/shadow and /etc/group for consistent numbers of
>>> entries, and /etc/group and /etc/gshadow.
>>
>> Do you mean duplicate entries? If so there are none of those.
>
> No, I mean the sam enumber of entries.
>
> * * wc /etc/shadow /etc/passwd


> * * cut -f1 -d: /etc/shasow /etc/passwd | sort | uniq -c

This came back 2 for each user, so no differences.

> And actually go line by line down these files, checking for matching
> usernames, correct layout of ':' separated entries, correct numbers of
> entries, and blank lines. I've seen serous problems where one or ther
> other of these files were corrupted by something, especially badly
> written installer scripts that only edited /etc/passwd directly and
> ignored /etc/shadow, or which mishandled "$" entries in newly created
> encrypted passwords.

I'm now going through this although its all looking intact.

>>> Do you have other users who
>>> can still log in or not?
>>
>> There is only the root and web dev user on this box.
>>
> Are you *sure*? Can you back this thing up for review and rebuilding?
> It might be safest to image it for analysis and simply rebuild it.

Yes, but I like to fix things. If I can't fix this I will restore the
box but for now I'm going to continue troubleshooting. The root user
and web dev user are the only two that have hash value in the passwd
file so I would expect this to mean they are the only two users than
can actually log in?



On 16 February 2011 12:59, David Sommerseth <dazo@users.sourceforge.net> wrote:>
> - Could the account have become locked somehow? *(passwd -u $user) *Or
> could the account have become expired?

[root@server ~]# passwd -u futuread.
Unlocking password for user futuread.
paswd: Success.

But I still get access denied.

> - Are the permissions strict on the users ~/.ssh? *(0700 on the directory,
> and 0600 on any files inside that directory - like authorized_keys ...)

If I remove execute permissions form the web dev home folder a website
will stop working, its within that users home folder. I.e. virtual
site1 is inside the home folder of user 'virtual1' and virtual site2
is within the home folder of the user 'virtual2'. The web dev chap
logins in as say virtual1 and edits all sites with that account. There
is no .ssh subfolder in the home folder? Could this be the problem? If
he saw it in there and deleted it perhaps (although I imagine it would
just be recreated if needed?).

> - Is SELinux in Enforced mode and are the SELinux file context correct on
> /home? *(restorecon -rv /home)

[root@server ~]# getenforce
Disabled

> Also double check /var/log/messages, /var/log/secure and
> /var/log/audit/audit.log carefully when trying to log in as that user.

/var/log/audit is empty. Is this normal, this VPS comes initially
configured from the provider? /var/log/messages and /var/log/secure
both just show a generic invalid login attemp:

/var/log/messages:
Feb 16 13:53:58 server1882 sshd(pam_unix)[16225]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
user=webdevuser

/var/log/secure:
Feb 16 13:53:50 server1882 sshd[16225]: Failed password for futuread
from ::ffff:1.2.3.4 port 1536 ssh2



On 16 February 2011 13:08, Kwan Lowe <kwan.lowe@gmail.com> wrote:
> A lot of things can cause this, including a full /var filesystem :/

Nope, only %75 full (60GB filesystem), there's some room left in her yet



Thanks everyone for your help so far its really appreciated.

--
James.

http://www.jamesbensley.co.cc/
There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:16 PM
James Bensley
 
Default Authentication Problems

On 16 February 2011 13:00, ... wrote:
> you realize that there are no passwords in /etc/passwd, so if you
> delete /etc/shadow and rebuild it using pwconv there will be no
> passwords in the new /etc/shadow... depending on the exact state,
> you either won't be able to log in, or the machine will be totally
> open.

Yes sorry I meant that the other way round

> i'd suggest looking at the log files (/var/log/secure and
> .../messages), for indications of why you're having trouble logging
> in as the other user. you can also, in a terminal window from a
> "mere mortal" (not root) login, try:
>
> * su - <user>
>
> as that may give you some feedback. something like having an invalid
> shell will cause what you're seeing.

As root, if I 'su - webdevuser' it doesn't prompt me for a password
and drops me in as the user, presumably what is intended?

--
James.

http://www.jamesbensley.co.cc/
There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:17 PM
 
Default Authentication Problems

Nico Kadel-Garcia wrote:
> On Wed, Feb 16, 2011 at 7:43 AM, James Bensley <jwbensley@gmail.com>
> wrote:
>> On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel@gmail.com> wrote:
<snip>
>>> Do you have other users who
>>> can still log in or not?
>>
>> There is only the root and web dev user on this box.
<snip>
What does lastlog | grep -v Never show you?

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:27 PM
James Bensley
 
Default Authentication Problems

On 16 February 2011 14:17, <m.roth@5-cent.us> wrote:
> What does lastlog | grep -v Never show you?
>

Hi Mark,

This has shown something (potentially) interesting:

[root@server ~]# lastlog | grep -v Never
Username Port From Latest
root pts/2 x.x.x.x Wed Feb 16 13:41:40 +0000 2011
webmaster pts/2 y.y.y.y Sun Dec 14 03:46:07 +0000 2008

So, I am logged in as root right now, however, the 'webmaster' entry
is what is interesting me. The y.y.y.y address is the web dev's
address (he hasn't logged in since sunday, he notified my yesterday
when he tried to get back on that he couldn't).

However he always uses the webdev account which lastlog shows as never
logged in, so when accessing the VPS as the webdev user account are we
somehow actually accessing the VPS as webmaster? Is it possible the
VPS providers performed some crazy voodoo magic here?

Perhaps I should change the password for the webmaster account (this
doesn't have one according to the passwd file), so I could 'su -
webmaster', set a password and then try and login as the webdev user?
Or is this possibly going to make matters worse?

--
James.

http://www.jamesbensley.co.cc/
There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:48 PM
David Sommerseth
 
Default Authentication Problems

On 16/02/11 15:16, James Bensley wrote:
>> i'd suggest looking at the log files (/var/log/secure and
>> > .../messages), for indications of why you're having trouble logging
>> > in as the other user. you can also, in a terminal window from a
>> > "mere mortal" (not root) login, try:
>> >
>> > su - <user>
>> >
>> > as that may give you some feedback. something like having an invalid
>> > shell will cause what you're seeing.
> As root, if I 'su - webdevuser' it doesn't prompt me for a password
> and drops me in as the user, presumably what is intended?
>

This is normal behaviour. root can su to which ever user without being
asked for any password by default.


kind regards,

David Sommerseth


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:50 PM
Jeff
 
Default Authentication Problems

On Wed, Feb 16, 2011 at 6:28 AM, James Bensley <jwbensley@gmail.com> wrote:
> Hi List,
>
> We have a CentOS VPS running a web site in a DC far away. The chap that
> dev's this site told me he couldn't SFTP in yesterday, his password was
> being rejected (I went to his desk to confirm and saw it was telling him the
> password was incorrect but neither him nor me had changed it and we are the
> only two with access to this VPS). So I logged in as root and reset his
> password, be he still couldn't log in (same problem, claiming the password
> was wrong).
>
> [root@server ~]# passwd webdevuser
> Changing password for user webdevuser.
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updates successfully.
>
> I tried to SSH in as the web dev user and it wouldn't let me in. Returning
> back to my root console window;
>
> [root@server ~]# su - webdevuser
> [webdevuser@server ~]# passwd
> Changing password for user webdevuser.
> Changing password for webdevuser.
> (current) UNIX password:
> passwd: Authentication token manipulation error
>
> Firstly; I am stracthing my head as to why his password was no longer
> working in the first place?
>
> Secondly; Why I can't reset it?
>
> Googling around many people suggest there is a discrepancy between the
> /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using
> pwconv to recreate shadow and the same for /etc/groups, deleting gshadow
> recreating it with grpconv will solve the problem but I still can't login as
> the web dev user.
>
> Any ideas anyone?

What does /etc/nsswitch.conf look like? Anything other than "files"
for passwd, shadow and group? If that's OK, I would start comparing
files in /etc/pam.d to a known-good system.

--
Jeff
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-16-2011, 01:52 PM
James Bensley
 
Default Authentication Problems

On 16 February 2011 14:34, ... wrote:
> yes, that is what doing an "su - <user>" as *root* will do, which
> doesn't tell you much. instead of doing this from a root login, do
> it from a regular account (you don't routinely log in as root i hope
> - actually it sounds like you do).
>
> if this works, then the issue isn't with the password or shell.

No other user is allowed to execute /bin/su

(This is something the VPS providers have put in place, apart from
root, all other users for each virtual site have their shell set to
/usr/local/cpanel/bin/jailshell or /usr/local/cpanel/bin/noshell)

> by the way, it doesn't sound like the accounts on this machine are
> set up very well. you should *never* log in as root (that capability
> should be disabled actually). rather you should log in to a regular,
> unprivileged, account and su (or sudo) to root only when you need to
> do something privileged and only for that moment. your developer's
> access sounds rather odd too, with the seeming lack of separation
> between the login and the site content.

Its not my server so those aren't my decisions to make. I don't
normally allow root ssh, I would have probably installed fail2ban, set
up SELinux blah blah blah and many other things but this isn't my VPS,
I've just been tasked with it so this is the way it is! :s

--
James.

http://www.jamesbensley.co.cc/
There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org