Issue with PAM - javax.security.auth.login.FailedLoginException

[Jim Harvey]

Hi I'm new to rundeck and I'm having issues setting up PAK.  I'm getting the following error when I try to login:

Feb 16, 2017 3:35:03 PM org.rundeck.jaas.pam.AbstractPamLoginModule debug

INFO: PAM authentication succeeded for: jimh

2017-02-16 15:35:03.120:WARN:oejj.JAASLoginService:qtp81628611-15: 

javax.security.auth.login.FailedLoginException

at org.eclipse.jetty.jaas.spi.AbstractLoginModule.login(AbstractLoginModule.java:260)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)

at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:52)

at org.eclipse.jetty.security.authentication.FormAuthenticator.login(FormAuthenticator.java:192)

at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:229)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:213)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1097)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:448)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1031)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:446)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:271)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:246)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)

at java.lang.Thread.run(Thread.java:745)

Any help would be appreciated.

Thanks,

Jim

[Greg Schueler]

What is your jaas config? it looks like you may have multiple modules configured, and the PAM module is succeeding but another one is failing

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e3b4aa6d-7ab4-4158-87bb-cf79b1382c3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jim Harvey]

Hi Greg,

Here are the contents of my jaas-loginmodule.conf file:

RDpropertyfilelogin {

org.rundeck.jaas.jetty.JettyPamLoginModule requisite

debug="true"

service="system-auth"

supplementalRoles="user,readonly"

storePass="true";

org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

debug="true"

useFirstPass="true"

file="/etc/rundeck/realm.properties";

};

Thank you,

Jim

[jna...@wynd.eu]

Hello Jim,

I had exactly the same issue. Actually, this is because of the requisite. Requisite means that even if you succeed in PAM, authentication will then go to the PropertyFileLoginModule so you need in that to also define that user in real.properties file.

If you replace requisite by sufficient, then if PAM succeeds, you'll be logged in and if it fails ( for admin user for example ), you'll then go to next authentication method.

Best regards

[Jim Harvey]

That was the issue.  Thank you for your help!