2.0.1 and PAM Authentication

Mars Dominion

unread,

Feb 28, 2014, 9:37:11 AM2/28/14

to rundeck...@googlegroups.com

I am trying to get PAM authentication working w/ 2.0.1. I followed the documentation and added the following to jaas-loginmodule.conf:

RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="readonly"
storePass="true";

org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";

};

I also added my user to the realm.properties file:

marsdominion:-,user,admin,architect,deploy,build

However, when I try to log in, I get an error:

Feb 28, 2014 8:32:55 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug

INFO: PAM authentication trying (sshd) for: marsdominion

Feb 28, 2014 8:32:58 AM org.rundeck.jaas.pam.AbstractPamLoginModule debug

INFO: pam_authenticate failed : Authentication failure

org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

at org.jvnet.libpam.PAM.check(PAM.java:106)

at org.jvnet.libpam.PAM.authenticate(PAM.java:124)

at org.rundeck.jaas.pam.AbstractPamLoginModule.authenticate(AbstractPamLoginModule.java:85)

at org.rundeck.jaas.AbstractSharedLoginModule.login(AbstractSharedLoginModule.java:96)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

at java.lang.reflect.Method.invoke(Method.java:618)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:781)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)

at java.security.AccessController.doPrivileged(AccessController.java:366)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:703)

at javax.security.auth.login.LoginContext.login(LoginContext.java:609)

at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)

at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)

at org.eclipse.jetty.server.Server.handle(Server.java:349)

at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)

at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)

at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)

at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)

at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)

at java.lang.Thread.run(Thread.java:804)

2014-02-28 08:32:58.219:WARN:oejpj.JAASLoginService:

javax.security.auth.login.LoginException: Login Failure: all modules ignored

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:933)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)

at java.security.AccessController.doPrivileged(AccessController.java:366)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:703)

at javax.security.auth.login.LoginContext.login(LoginContext.java:609)

at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)

at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)

at org.eclipse.jetty.server.Server.handle(Server.java:349)

at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)

at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)

at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)

at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)

at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)

at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)

at java.lang.Thread.run(Thread.java:804)

And yes, my password is correct. Any ideas?

Mars Dominion

unread,

Feb 28, 2014, 6:09:23 PM2/28/14

to rundeck...@googlegroups.com

Ok, I figured it out.

My OS is RHEL 6, and it will not work in RHEL6 without changing the default behavior of /etc/shadow. Due to the permissions on the shadow file, the only user that can authenticate is the rundeck user (which is running the web processes). It has to do with the way that the unix_chkpwd program works. I could create a group called shadow, change permissions and ownership on the /etc/shadow file (440 and root:shadow), and add rundeck to the shadow group to get it to work, but I am just going to go with the MD5 passwords.

By the way, i couldn't figure out how to run the commands to encrypt the password in the documentation either, so I ran I created my md5 has on the linux box locally:

% echo -n "password" | md5sum

5f4dcc3b5aa765d61d8327deb882cf99

and then added that to the realm.properties file:

marsdominion:MD5:e4c3105cc7fd90ce3b196228bb97bfb9,user,admin,architect,deploy,build

m...@davidedalfarra.it

unread,

Jan 15, 2016, 1:54:42 PM1/15/16

to rundeck-discuss

The issue involves also Ubuntu 14.04 and Rundeck version 2.6.2.
I solved it editing the /etc/group file and assigning the shadow group to rundeck user.
Since in any case shadow file is readonly "by default" for shadow users, should not add any threat, apart from the fact that the rundeck user is now able to verify a user password, maybe even via a brute force attack.

James Horsfall

unread,

Feb 23, 2017, 2:29:16 PM2/23/17

to rundeck-discuss

Thank you, this fixed my issue

simply set a file acl for rundeck

setfacl -m "u:rundeck:r--" /etc/shadow

Reply all

Reply to author

Forward