Avatar of bighob
bighob
 asked on

Hardened Linux Guest OS and can't log in via the console in vCenter

I've hardened my Linux guest OS (RHEL 5) using a set of scripts that update PAM authentication. (My PAM knowledge is limited.) When I access the guest in vCenter using the console tab, I get a "Authentication failed" message from the guest (RHEL 5). This occurs for both root and non-root users. Anyone seen this? TIA
VMwareSecurity

Avatar of undefined
Last Comment
eric-atl

8/22/2022 - Mon
eric-atl

bighob, Please provide some more information - in the following direction.

Could you provide some details on the scripts that were used (or the scripts themselves)?  Why do you think this is a PAM problem - is there an error or is it just what the scripts changed?  Was a new PAM module added?  Can you log into the host OS without any problems?  Are there any other ways to access the guest that work?  Was this known to work properly before the change?
bighob

ASKER
eric-atl:

the scripts are part of a hardening package that include lots of configuration changes to the system.
what seems to be broken in the authentication, so i am assuming it's the PAM config. and since
that's an issue for me, it's something i suspect more than know.
to your questions (and thanks for your help):
- no new PAM modules, just reconfigurations of the existing config files in pam.d
- can log in via ssh or vnc to the host no problem; behaves correctly
- and this has been working before the hardening changes

i would like to fix this before going forward as i will hear no end of it. ;)

thanks again. btw - i can't send the script out unfortunately.
ASKER CERTIFIED SOLUTION
eric-atl

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
bighob

ASKER
now right off - thanks for your help - you're a genius!
i've been looking (dumbly) at config files and not using
the logs... i won't make that mistake until, well probably
next week...


contents of /etc/syslog.conf (on good machine)

auth,user.*                  /var/log/messages
...
authpriv.*                  /var/log/secure

contents of /etc/syslog.conf (on non-working machine)
*.info;mail.none;...            /var/log/messages
...
authpriv.*                  /var/log/secure


log files for working machine on login via vCenter console window:
/var/log/secure:
Feb 14 20:22:59 emdcsecurityvm01 su: pam_unix(su-l:session): session opened for user root by ciadmin(uid=501)
Feb 14 20:28:07 emdcsecurityvm01 gdm[4897]: pam_unix(gdm:session): session closed for user root
Feb 14 20:28:23 emdcsecurityvm01 gdm[4897]: pam_unix(gdm:session): session opened for user ciadmin by (uid=0)


/var/log/messages
Feb 14 20:28:07 emdcsecurityvm01 gconfd (root-4715): Exiting
Feb 14 20:28:23 emdcsecurityvm01 gconfd (ciadmin-3962): Resolved address "xml:readwrite:/home/ciadmin/.gconf" to a writable configuration source at position 0
Feb 14 20:28:24 emdcsecurityvm01 gconfd (root-13485): starting (version 2.14.0), pid 13485 user 'root'
Feb 14 20:28:24 emdcsecurityvm01 gconfd (root-13485): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Feb 14 20:28:24 emdcsecurityvm01 gconfd (root-13485): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1
Feb 14 20:28:24 emdcsecurityvm01 gconfd (root-13485): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position


log files for non-working machine on login via vCenter console window:
/var/log/secure:
Feb 14 20:24:59 emdcingestvm06h su: pam_unix(su-l:session): session opened for user root by ciadmin(uid=502)
Feb 14 20:38:28 emdcingestvm06h gdm[5890]: PAM unable to dlopen(/lib/security/pam_listfile.so)
Feb 14 20:38:28 emdcingestvm06h gdm[5890]: PAM [error: /lib/security/pam_listfile.so: wrong ELF class: ELFCLASS32]
Feb 14 20:38:28 emdcingestvm06h gdm[5890]: PAM adding faulty module: /lib/security/pam_listfile.so

/var/log/messages:
Feb 14 20:08:44 emdcingestvm06h gdm[5890]: Couldn't authenticate user
Feb 14 20:38:26 emdcingestvm06h gdm[5890]: Couldn't authenticate user


ok, i go to /lib/security and the files are the same on both machines.
now back to /etc/pam.d, and the following reference pam_listfile.so:
gdm, gssftp, vsftpd - on the machine that's broken
gssftp, vsftpd - on the machine that's working!!

problem solved! i need to see if the pam_listfile.so is bad or what now...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
eric-atl

Glad I could help!  Below is a simple way to test with rpm what files were changed after installation of the pam package.

rpm -V $(rpm -qa | grep pam-)

The output will print only files that were changed after installation.  This is a crude test for pam_listfile.so

Good Luck.