Menu

#31 failures are not recognised

open
danta
PAM Module (12)
5
2013-01-03
2013-01-02
Anonymous
No

Hallo,
I have just installed 0.5.0, but it seems that it does not recognise failure attempts. I have tried many times to connect through ssh as debil@147.228.47.45 (user is not existing), but pam-abl still does not hold any attempt:

Failed users:
<none>
Failed hosts:
196.44.162.30 (3)
Blocked based on rule [*]

where 196.44.162.30 was added manually using pam-abl -f -H 196.44.162.30. The expected host to be blocked is 147.228.47.73

My config is in the attachment, my PAM is configured as follows:

auth required pam_env.so
auth required pam-abl.so config=/etc/security/pam_abl.conf
auth required pam_nologin.so
auth required pam_unix.so try_first_pass likeauth

And the /var/log/security looks like (with pam-abl debug set to ON):

Invalid user debil from 147.228.47.73
Jan 02 15:42:16 [sshd] input_userauth_request: invalid user debil [preauth]
Jan 02 15:42:16 [sshd] Postponed keyboard-interactive for invalid user debil from 147.228.47.73 port 56437 ssh2 [preauth]
Jan 02 15:42:17 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ul502p23-kky.fav.zcu.cz
Jan 02 15:42:19 [sshd] error: PAM: Authentication failure for illegal user debil from ul502p23-kky.fav.zcu.cz
Jan 02 15:42:19 [sshd] Failed keyboard-interactive/pam for invalid user debil from 147.228.47.73 port 56437 ssh2
Jan 02 15:42:19 [sshd] Postponed keyboard-interactive for invalid user debil from 147.228.47.73 port 56437 ssh2 [preauth]
Jan 02 15:42:22 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ul502p23-kky.fav.zcu.cz
Jan 02 15:42:24 [sshd] error: PAM: Authentication failure for illegal user debil from ul502p23-kky.fav.zcu.cz
Jan 02 15:42:24 [sshd] Failed keyboard-interactive/pam for invalid user debil from 147.228.47.73 port 56437 ssh2
Jan 02 15:42:24 [sshd] Postponed keyboard-interactive for invalid user debil from 147.228.47.73 port 56437 ssh2 [preauth]
Jan 02 15:42:25 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ul502p23-kky.fav.zcu.cz
Jan 02 15:42:27 [sshd] error: PAM: Authentication failure for illegal user debil from ul502p23-kky.fav.zcu.cz
Jan 02 15:42:27 [sshd] Failed keyboard-interactive/pam for invalid user debil from 147.228.47.73 port 56437 ssh2
Jan 02 15:42:27 [sshd] Disconnecting: Too many authentication failures for debil [preauth]

There is nomessage from pam-abl??!!. What may be wrong?

Thank you very much,
Dan T.

Discussion

  • Nobody/Anonymous

    Nobody/Anonymous - 2013-01-02

    The configuration of PAM

     
    pam_abl.conf

  • danta

    danta - 2013-01-03
    • assigned_to: nobody --> danta
     

  • danta

    danta - 2013-01-03

    I've been trying to reproduce the problem but for the moment couldn't.
    It looks like pam-abl isn't even loaded for some reason.

    I think the 'easiest' way to debug the problem is to strace sshd while you try to login.
    That we we can see if it actually loads pam-abl.so and if it tries to perhaps print it's output to another log or something.

    If you need help with the strace, just let me know (don't forget -f to trace the child processes).

     

  • Dan

    Dan - 2013-01-04
    Too large to display
     

  • danta

    danta - 2013-01-04

    That's the output I wanted.

    From the trace I can conclude that pam-abl and berkeley db are loaded correctly:
    [pid 23547] open("/lib64/security/pam-abl.so", O_RDONLY) = 8
    [pid 23547] open("/usr/lib64/libdb-4.8.so", O_RDONLY) = 8

    The databases are opened anr read/written from:
    [pid 23556] open("/var/db/abl/hosts.db", O_RDWR) = 9

    pam-abl even manages to write a lot off stuff to syslog:
    [pid 23556] socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 8
    [pid 23556] connect(8, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
    [pid 23556] sendto(8, "<87>Jan 4 08:35:24 pam-abl[2355"..., 84, ...
    ...
    So the debug output should be somewhere in a log file. Perhaps you should grep on "pam-abl" in your log dir.
    For example on my machine all pam logging goes to /var/log/auth.log. I don't know how your syslogd is configured, so I don't know where the log is written to.

    If you can't find where it is written to, you can always rerun the strace but with an extra "-s 1024" option. This will make sure that strace prints the first 1024 chars off all strings passed to system calls. This way we can see what pam-abl writes to syslog.
    You can also attach to your already running sshd process using "-p <pid>". You can find the pid by running "pgrep sshd".

    Conclusion:
    For the moment I can't tell you why no failed authentications are logged. According to the strace pam-abl does what it needs to do. Perhaps if we see what it writes to syslog, will know what's wrong.

    NOTE:
    I noticed in your config this comment.
    # Must be here ??!!
    db_home=/var/db/abl/
    The db_home directory is used by Berkeley db for it's lock files. This way it can make sure that no 2 processes write to the db at the same time.

     

  • Nobody/Anonymous

    Nobody/Anonymous - 2013-01-08

    Hallo,
    thanks for you comment. I have only been able to find the following old messages:

    Jan 05 11:59:13 [pam-abl] Opertion denyed (13) while opening the database environment
    Jan 05 11:59:13 [pam-abl] Opertion denyed (13) while Creating database environment.
    Jan 05 11:59:13 [pam-abl] The database environment could not be opened
    Jan 05 12:04:44 [pam-abl] Opertion denyed (13) while opening the database environment
    Jan 05 12:04:44 [pam-abl] Opertion denyed (13) while Creating database environment.
    Jan 05 12:04:44 [pam-abl] The database environment could not be opened
    Jan 05 12:04:44 [unix_chkpwd] password check failed for user (dtihelka)
    Jan 05 12:04:49 [pam-abl] Opertion denyed (13) while opening the database environment
    Jan 05 12:04:49 [pam-abl] Opertion denyed (13) while Creating database environment.
    Jan 05 12:04:49 [pam-abl] The database environment could not be opened

    but the messages did not appeared when I have tried login failure now ???!!! I have no idea why, since the use of 'logger "message"' did wrote the "message" into the log file ...

    What I have also noticed is the following list of files in /var/db/abl:

    uk508p02-kky abl # pwd
    /var/db/abl
    uk508p02-kky abl # ls -all
    celkem 11079
    drwxr-xr-x 2 root root 304 8. led 15.01 .
    drwxr-xr-x 5 root root 168 4. led 20.55 ..
    -rw-r----- 1 root root 50 8. led 15.01 __db.register
    -rw-r----- 1 root root 24576 8. led 15.01 __db.001
    -rw-r----- 1 root root 90112 8. led 15.01 __db.002
    -rw-r----- 1 root root 270336 8. led 15.01 __db.003
    -rw-r----- 1 root root 163840 8. led 15.01 __db.004
    -rw-r----- 1 root root 802816 8. led 15.01 __db.005
    -rw-r----- 1 root root 49152 8. led 15.01 __db.006
    -rw------- 1 root root 16384 8. led 15.01 hosts.db
    -rw-r----- 1 root root 10485760 8. led 15.01 log.0000000001
    -rw------- 1 root root 16384 8. led 15.01 users.db

    The only updated files are those __* Is it correct?

    Thanks,
    Dan

     

  • danta

    danta - 2013-01-08

    The only way I have seen these "Operation denied" messages is if I run the process that does pam authentication with insufficient rights. For example if I first create the database by running "pam-abl <my config>" as root and then let a service not running as root trying to authenticate.

    In your case this shouldn't be the problem, because sshd normally runs as root and root should be able to do everything.

    > "but the messages did not appeared when I have tried login failure now ???!!!"
    Does the problem still occur? Or does it work as expected now?

    The __db.0* files are berkeley db specific. In these case they are shared memory regions ( http://sepp.oetiker.ch/subversion-1.4.2-rp/ref/env/region.html ). Not much is known about what they contain. They enable Berkeley db to be opened from multiple processes. They are berkeley internals.