FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 12-15-2007, 05:50 PM
"आशीष शुक्ल Ashish Shukla"
 
Default Having a long delay at login prompt.

Hi list,

When I try to login to my Gentoo installation
(hardened/selinux/amd64/no-multilib) at TTY, after entering
username and password it takes a long time to show prompt. I track
down this problem to the some DNS resolution
taking place at startup. i.e. when my default gateway is connected to
internet, I can log-in normally,
but when I'm not connected, I experience this issue. I was also
getting few days back a selinux denial for
'locallogin_t', so with the help of Chris PeBenito, I fixed that issue
by adding following rule to my local
SELinux policy:

----8<----8<----
auth_use_nsswitch(local_login_t)
---->8---->8----

I'm not able to figure out why it needs to do DNS resolution at login.
Following are my related pam configuration
files:

----8<----8<----
abbe@chatteau ~ $ cat /etc/pam.d/system-auth
#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
abbe@chatteau ~ $ cat /etc/pam.d/login
#%PAM-1.0

auth required pam_securetty.so
auth required pam_tally.so file=/var/log/faillog
onerr=succeed no_magic_root
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth

account required pam_access.so
account include system-auth
account required pam_tally.so deny=0 file=/var/log/faillog
onerr=succeed no_magic_root

password include system-auth

# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_env.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so

# If you want to enable pam_console, uncomment the following line
# and read carefully README.pam_console in /usr/share/doc/pam*
#session optional pam_console.so

session include system-auth

# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

abbe@chatteau ~ $ getent hosts `hostname`
::1 localhost chatteau.d.lf chatteau localhost.localdomain
abbe@chatteau ~ $ getent hosts 127.0.0.1
127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain
---->8---->8----

The long delay is only experienced when user is successfully
authenticated. So I think its somewhere
in 'session' phase of PAM, though I'm not sure on this.

Any idea what would be wrong here ?

TIA
--
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
 
Old 12-16-2007, 12:24 PM
 
Default Having a long delay at login prompt.

Hi.

When I used PAM with LDAP, I experienced the same problems sometimes.
Do you use additionnal PAM modules?
For instance, what is your /etc/nss.conf file ? (I mean, the nss
configuration file, but I am not sure of the name)


An other point would be the login configuration. For instance, with
pamldap,I configured NFS based home directory ...


Julien Thomas.

आशीष शुक्ल Ashish Shukla <wahjava.ml@gmail.com> a écrit :


Hi list,

When I try to login to my Gentoo installation
(hardened/selinux/amd64/no-multilib) at TTY, after entering
username and password it takes a long time to show prompt. I track
down this problem to the some DNS resolution
taking place at startup. i.e. when my default gateway is connected to
internet, I can log-in normally,
but when I'm not connected, I experience this issue. I was also
getting few days back a selinux denial for
'locallogin_t', so with the help of Chris PeBenito, I fixed that issue
by adding following rule to my local
SELinux policy:

----8<----8<----
auth_use_nsswitch(local_login_t)
---->8---->8----

I'm not able to figure out why it needs to do DNS resolution at login.
Following are my related pam configuration
files:

----8<----8<----
abbe@chatteau ~ $ cat /etc/pam.d/system-auth
#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok
nullok md5 shadow

password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
abbe@chatteau ~ $ cat /etc/pam.d/login
#%PAM-1.0

auth required pam_securetty.so
auth required pam_tally.so file=/var/log/faillog
onerr=succeed no_magic_root
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth

account required pam_access.so
account include system-auth
account required pam_tally.so deny=0 file=/var/log/faillog
onerr=succeed no_magic_root

password include system-auth

# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_env.so
session optional pam_lastlog.so
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so

# If you want to enable pam_console, uncomment the following line
# and read carefully README.pam_console in /usr/share/doc/pam*
#session optional pam_console.so

session include system-auth

# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open

abbe@chatteau ~ $ getent hosts `hostname`
::1 localhost chatteau.d.lf chatteau localhost.localdomain
abbe@chatteau ~ $ getent hosts 127.0.0.1
127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain
---->8---->8----

The long delay is only experienced when user is successfully
authenticated. So I think its somewhere
in 'session' phase of PAM, though I'm not sure on this.

Any idea what would be wrong here ?

TIA
--
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
����(��u��w���(��� �x%





--
gentoo-hardened@gentoo.org mailing list
 
Old 12-16-2007, 01:56 PM
 
Default Having a long delay at login prompt.

,--- julien thomas writes:
| Hi.

Hi,

| When I used PAM with LDAP, I experienced the same problems sometimes.
| Do you use additionnal PAM modules?

I pasted my PAM configuration earlier, I don't use any other module
except those listed there. Did you find the cause of your problem ?
What I think in your case the problem will be availability of
unavailability of LDAP at the time of logon.

| For instance, what is your /etc/nss.conf file ? (I mean, the nss
| configuration file, but I am not sure of the name)

I hope you mean nsswitch.conf. Following is my nsswitch.conf:

----8<----8<----
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1
2006/09/29 23:52:23 vapier Exp $

passwd: compat
shadow: compat
group: compat

# passwd: db files nis
# shadow: db files nis
# group: db files nis

hosts: files dns
networks: files dns

services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files

automount: files
aliases: files
---->8---->8----

| An other point would be the login configuration. For instance, with
| pamldap,I configured NFS based home directory ...

I have my home directory on the same partition on the same hard disk
as the gentoo installation.

| Julien Thomas.

Thanks
--
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
 

Thread Tools




All times are GMT. The time now is 01:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org