Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix pam tests #690

Open
rndmh3ro opened this issue Aug 7, 2023 · 1 comment
Open

Fix pam tests #690

rndmh3ro opened this issue Aug 7, 2023 · 1 comment
Labels
bug

Comments

@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 7, 2023
edited
Loading

Description

The pam tests currently fail.

Reproduction steps

run tests

Current Behavior

 
  TASK [include PAM tests] *******************************************************
  Friday 04 August 2023  15:00:03 +0000 (0:00:00.083)       0:00:11.905 *********
  included: /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/molecule/os_hardening/verify_tasks/pam_1.yml for instance
  
  TASK [install pip] *************************************************************
  Friday 04 August 2023  15:00:03 +0000 (0:00:00.041)       0:00:11.947 *********
  changed: [instance]
  
  TASK [install pam-tester] ******************************************************
  Friday 04 August 2023  15:00:21 +0000 (0:00:18.227)       0:00:30.174 *********
  changed: [instance]
  
  TASK [set password for test] ***************************************************
  Friday 04 August 2023  15:00:24 +0000 (0:00:03.073)       0:00:33.248 *********
  ok: [instance]
  
  TASK [set locale for test] *****************************************************
  Friday 04 August 2023  15:00:24 +0000 (0:00:00.073)       0:00:33.322 *********
  skipping: [instance]
  
  TASK [create testuser] *********************************************************
  Friday 04 August 2023  15:00:24 +0000 (0:00:00.034)       0:00:33.356 *********
  [DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. 
  The Python crypt module is deprecated and will be removed from Python 3.13. 
  Install the passlib library for continued encryption functionality. This 
  feature will be removed in version 2.17. Deprecation warnings can be disabled 
  by setting deprecation_warnings=False in ansible.cfg.
  changed: [instance]
  
  PLAY [Verify] ******************************************************************
  
  TASK [Gathering Facts] *********************************************************
  Friday 04 August 2023  15:00:25 +0000 (0:00:01.136)       0:00:34.492 *********
  ok: [instance]
  
  TASK [set ansible_python_interpreter to "/usr/bin/python3"] ********************
  Friday 04 August 2023  15:00:27 +0000 (0:00:01.319)       0:00:35.811 *********
  ok: [instance]
  
  TASK [include PAM tests] *******************************************************
  Friday 04 August 2023  15:00:27 +0000 (0:00:00.076)       0:00:35.888 *********
  included: /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/molecule/os_hardening/verify_tasks/pam_2.yml for instance
  
  TASK [check successful login with correct password] ****************************
  Friday 04 August 2023  15:00:27 +0000 (0:00:00.043)       0:00:35.932 *********
  fatal: [instance]: FAILED! => {"changed": true, "cmd": "/usr/local/bin/pam-tester --user testuser -***", "delta": "0:00:00.139822", "end": "2023-08-04 15:00:28.290337", "msg": "non-zero return code", "rc": 1, "start": "2023-08-04 15:00:28.150515", "stderr": "", "stderr_lines": [], "stdout": "authenticating user testuser in PAM stack login, status: PAM code 7, PAM reason Authentication failure", "stdout_lines": ["authenticating user testuser in PAM stack login, status: PAM code 7, PAM reason Authentication failure"]}
  
  PLAY RECAP *********************************************************************

Expected Behavior

working tests

OS / Environment

  • centos stream 8
  • rocky 8
  • rocky 9
  • fedora 37
  • fedora 38
@rndmh3ro rndmh3ro added the bug label Aug 7, 2023
rndmh3ro pushed a commit to dev-sec/docker-ansible that referenced this issue Aug 8, 2023
remove nologin-file so we can test pam
7b89150 
see: dev-sec/ansible-collection-hardening#690
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
@rndmh3ro rndmh3ro mentioned this issue Aug 8, 2023
Merged
@rndmh3ro
Copy link
Member Author

rndmh3ro commented Aug 8, 2023

The reason:

  • systemd creates a file /run/nologin, preventing login to the system to users (except for root)
  • that file normally is deleted by the systemd service systemd-user-sessions.service (see https://man.archlinux.org/man/systemd-user-sessions.service.8.en). However this service never starts in the failing containers (idk why), thus the file does not get deleted
  • this normally does not present a problem since we login into the container as root
  • however we check that our pam-config works by simulating a login with pam-tester
  • here's the output of the underlying library:
>>> import pam
>>> p = pam.pam()
>>> p.authenticate('testuser', 'root') # -> could not authenticate, although password is correct
False
>>> print(p.code)
7
>>> print(p.reason)
Authentication failure
>>> p.messages
['Password: ', '"System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."']
  • removing the nologin-file is enough to make it work

More info:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rndmh3ro