I recently install Rocky Linux with the DoD DISA STIGs security profile enabled. One of the STIGs
is to have the console locked after 900 s of inactivity. The mechanism for locking is vlock. The issue I am having is that the known password does not unlock the console. I think that this may be due to a
PAM misconfiguration as this has been reported in other distributions, but I have not found any reference to this issue with RHEL-8. The vlock file in /etc/pam.d contains:
#%PAM-1.0
auth include system-auth
account required pam_permit.so
This output appears in /var/log/secure when trying to unlock
Aug 2 10:27:19 appserver unix_chkpwd[2928]: check pass; user unknown
Aug 2 10:27:19 appserver unix_chkpwd[2928]: password check failed for user (jeff.forbes)
Aug 2 10:27:22 appserver unix_chkpwd[2929]: check pass; user unknown
Can you clarify what you mean by “console”; do you mean the full screen, text based console, as used on a non GUI system?
non-GUI ssh connection to a remote server from a terminal windows on a workstation.
The PAM (auth) logic for vlock is thus in system-auth
(due to include).
The “user unknown” sounds like the error is in username?
If you do get into the system and run getent passwd
, will that list “jeff.forbes”?
~]$ getent passwd | grep forbes
jeff.forbes:x:1000:1000:Jeff Forbes:/home/jeff.forbes:/bin/bash
I use only the CIS benchmarks for my systems, but vlock works as intended here. Below is my system which uses IPA and my account from IPA. pam_sss is used. pam_unix is used for local accounts (which I test later). unix_chkpwd
is likely used in some capacity, but I see no errors come up in my tests.
[label@awx ~]$ vlock
This tty (pts/2) is not a virtual console.
The pts/2 is now locked by label.
Password:
[label@awx ~]$ journalctl --since=today
. . .
Aug 02 17:50:21 awx.angelsofclockwork.net vlock[4963]: Locked tty on pts/2 for label by (uid=686600008)
Aug 02 17:50:23 awx.angelsofclockwork.net vlock[4963]: pam_sss(vlock:auth): authentication success; logname=label uid=686600008 euid=686600008 tty=pts/2 ruser= rhost= user=label
Aug 02 17:50:23 awx.angelsofclockwork.net vlock[4963]: Unlocked tty on pts/2 for label by (uid=686600008)
[label@awx ~]$ cat /etc/pam.d/system-auth
# Generated by authselect on Wed Jul 6 19:39:29 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
password requisite pam_pwhistory.so use_authok remember=5
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Here’s a local account:
[nazu@awx ~]$ vlock
This tty (pts/0) is not a virtual console.
The pts/0 is now locked by nazu.
Password:
[nazu@awx ~]$ id
uid=1000(nazu) gid=1000(nazu) groups=1000(nazu),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[nazu@awx ~]$ id label
uid=686600008(label) gid=686600008(label) groups=686600008(label),979(libvirt),686600037(awx),686600045(gitusers),190(systemd-journal),686600004(linuxadm),686600041(awx_admin),686600000(admins),686600003(aocusers)
I would start checking here:
- Your audit log for AVC denials
- SELinux contexts on
/etc/shadow
, use restorecon
if you’re unsure (context should be shadow_t
)
- Permissions on
/etc/shadow
(it must be 0000
)
- Permissions on
/usr/sbin/unix_chkpwd
(it must be 4755
)
No AVCs
SELinux context OK
Permissions on /etc/shadow OK.
Permissions on /usr/sbin/unix_chkpwd
was 755
Set permissions to 4755 and now it works.
Thanks!