Vlock password failure

I recently install Rocky Linux with the DoD DISA STIGs security profile enabled. One of the STIGs
is to have the console locked after 900 s of inactivity. The mechanism for locking is vlock. The issue I am having is that the known password does not unlock the console. I think that this may be due to a
PAM misconfiguration as this has been reported in other distributions, but I have not found any reference to this issue with RHEL-8. The vlock file in /etc/pam.d contains:
#%PAM-1.0
auth include system-auth
account required pam_permit.so

This output appears in /var/log/secure when trying to unlock
Aug 2 10:27:19 appserver unix_chkpwd[2928]: check pass; user unknown
Aug 2 10:27:19 appserver unix_chkpwd[2928]: password check failed for user (jeff.forbes)
Aug 2 10:27:22 appserver unix_chkpwd[2929]: check pass; user unknown

Can you clarify what you mean by “console”; do you mean the full screen, text based console, as used on a non GUI system?

non-GUI ssh connection to a remote server from a terminal windows on a workstation.

The PAM (auth) logic for vlock is thus in system-auth (due to include).

The “user unknown” sounds like the error is in username?
If you do get into the system and run getent passwd, will that list “jeff.forbes”?

~]$ getent passwd | grep forbes
jeff.forbes:x:1000:1000:Jeff Forbes:/home/jeff.forbes:/bin/bash

I use only the CIS benchmarks for my systems, but vlock works as intended here. Below is my system which uses IPA and my account from IPA. pam_sss is used. pam_unix is used for local accounts (which I test later). unix_chkpwd is likely used in some capacity, but I see no errors come up in my tests.

[label@awx ~]$ vlock
This tty (pts/2) is not a virtual console.


The pts/2 is now locked by label.
Password:
[label@awx ~]$ journalctl --since=today
. . .
Aug 02 17:50:21 awx.angelsofclockwork.net vlock[4963]: Locked tty on pts/2 for label by (uid=686600008)
Aug 02 17:50:23 awx.angelsofclockwork.net vlock[4963]: pam_sss(vlock:auth): authentication success; logname=label uid=686600008 euid=686600008 tty=pts/2 ruser= rhost= user=label
Aug 02 17:50:23 awx.angelsofclockwork.net vlock[4963]: Unlocked tty on pts/2 for label by (uid=686600008)
[label@awx ~]$ cat /etc/pam.d/system-auth
# Generated by authselect on Wed Jul  6 19:39:29 2022
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so  try_first_pass
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900
auth        required                                     pam_deny.so

account     required                                     pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
password    requisite                                    pam_pwhistory.so use_authok remember=5
password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Here’s a local account:

[nazu@awx ~]$ vlock
This tty (pts/0) is not a virtual console.


The pts/0 is now locked by nazu.
Password:
[nazu@awx ~]$ id
uid=1000(nazu) gid=1000(nazu) groups=1000(nazu),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[nazu@awx ~]$ id label
uid=686600008(label) gid=686600008(label) groups=686600008(label),979(libvirt),686600037(awx),686600045(gitusers),190(systemd-journal),686600004(linuxadm),686600041(awx_admin),686600000(admins),686600003(aocusers)

I would start checking here:

  • Your audit log for AVC denials
  • SELinux contexts on /etc/shadow, use restorecon if you’re unsure (context should be shadow_t)
  • Permissions on /etc/shadow (it must be 0000)
  • Permissions on /usr/sbin/unix_chkpwd (it must be 4755)

No AVCs
SELinux context OK
Permissions on /etc/shadow OK.

Permissions on /usr/sbin/unix_chkpwd was 755

Set permissions to 4755 and now it works.

Thanks!