Unable to login with user who has custom login shell in 1068.6.0
84 views
Skip to first unread message
sabraham
Jul 13, 2016, 3:05:22 PM7/13/16
to CoreOS User
Hi,
If I create a user with a custom shell script as the login shell, I am not able to login in with that user. I have tried creating the users using useradd command and using cloud-config.yml. Users login shell set to /bin/sh doesn't have this issue. This issue started in 1068.6.0
------------------------------------------------------------------------
sudo useradd testuser2 --shell "/usr/share/oem/test.sh" -G sudo
echo "testuser2:testpass" |sudo chpasswd
cat /usr/share/oem/test.sh
/bin/sh
sudo chmod 777 /usr/share/oem/test.sh
$ ssh testuser2@0
Password:
Password:
Password:
testuser2@0's password:
Permission denied, please try again.
testuser2@0's password:
Permission denied, please try again.
testuser2@0's password:
Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures
packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
journalctl logs
Jul 13 18:50:14 systemd[1]: Started OpenSSH per-connection server daemon (127.0.0.1:46238).
Jul 13 18:50:20 sshd[18122]: PAM: Authentication failure for testuser2 from 127.0.0.1
Jul 13 18:50:30 sshd[18122]: PAM: Authentication failure for testuser2 from 127.0.0.1
Jul 13 18:50:44 mfusion-updateos[18142]: Failed to read the etcd key /mgmt/osupdate/update_window. Error: 4
Jul 13 18:50:47 sshd[18122]: PAM: Authentication failure for testuser2 from 127.0.0.1
Jul 13 18:50:57 sshd[18122]: Failed password for testuser2 from 127.0.0.1 port 46238 ssh2
Jul 13 18:51:03 sshd[18122]: Failed password for testuser2 from 127.0.0.1 port 46238 ssh2
Jul 13 18:51:15 sshd[18122]: Failed password for testuser2 from 127.0.0.1 port 46238 ssh2
Jul 13 18:51:15 sshd[18122]: maximum authentication attempts exceeded for testuser2 from 127.0.0.1 port 46238 ssh2 [preauth]
Jul 13 18:51:15 sshd[18122]: Disconnecting: Too many authentication failures [preauth]
Nick Owens
Jul 13, 2016, 3:29:33 PM7/13/16
to coreo...@googlegroups.com
it would appear this is due to the introduction of pam with the
pam_shells module.
/usr/lib/pam.d/system-login has:
auth required pam_shells.so
so, if the shell of a user is not in /etc/shells, authentication will fail.
you could put your shell in /etc/shells and it should work.
pam_shells module.
/usr/lib/pam.d/system-login has:
auth required pam_shells.so
so, if the shell of a user is not in /etc/shells, authentication will fail.
you could put your shell in /etc/shells and it should work.
sabraham
Jul 14, 2016, 2:49:56 PM7/14/16
to CoreOS User
Thanks. It worked.
Michael Marineau
Jul 14, 2016, 3:11:49 PM7/14/16
to Nick Owens, coreos-user
Hm, is this something we actually want to be enforcing? Restricting shells is important for unprivileged chsh but otherwise seems like a meaningless restriction akin to the deprecated securetty list
--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages