For some reason i cannot login using root or other accounts on my Linux system.
When logging in at the main console it says "Authentication failed" in a dialog box with an OK button.
The Linux system is Redhat 4.7.
I've already checked /etc/pam.d/login, /etc/security/access.conf and /etc/securetty files but everything is correct. I have already checked if /etc/nologin file exists.
I have accessed the files mentioned above using rescue mode.
Can anyone help me for this?
What does /var/log/secure say? What about /var/log/messages? They should give you a clue. Also, please do an "ls -l" on /bin/login and check if the permissions to that has been altered. It should have root:root ownership with 755 permission. Also, did you check if permissions on /etc/passwd and /etc/shadow are intact? Or even if the files exist?
Both files (/var/log/secure, /var/log/messages) have the information about the last time I was able to login successfully.
Also /bin/login has 755 permission, /etc/passwd has 644 permission and /etc/shadow has 600 permission.
This means PAM is not logging the login attempts (either successful or unsuccessful, it's supposed to log them) in /var/log/secure, which leads me to suspect that PAM is not doing what it's supposed to do.
Do you remember doing any changes that could affect PAM modules?
No I have not done or installed anything on the system that will affect PAM module.
My pam.d/login file contents are
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
# session required pam_selinux.so open
session required /lib/security/pam_limits.so
session sufficient /lib/security/pam_lsass.so
session required pam_selinux.so open
Okay, could you execute "authconfig-tui" and make sure local user authentication is enabled? Also check /etc/nsswitch.conf after this. "files" should be the first option for passwd, shadow, and group in there.
I think somehow, PAM is not being used at all for authentication.
authconfig-tui command gave me an error saying command not found.
/etc/nsswitch.conf file first few lines are:
;passwd: files winbind
passwd files lsass
shadow files
group files lsass
;group: files winbind
Please use /usr/bin/authconfig-tui as you are in the single user mode, your environments are not set.
/usr/bin/authconfig-tui does not exist in my /usr/bin
There are only authconfig, authconfig-gts and authconf files in there.
"authconfig" will do just fine. Check "man 8 authconfig" or authconfig(8) - Linux man page for details. This will reset things and should correct if any unwanted change is causing this.
I tried authconfig --restorelastbackup but I am still not able to login.
Boot the machine into runlevel 3 and check if you are able to do console login or while on the graphical login screen, press ALT+F2 or ALT+F3 etc. to login to one of the virtual consoles. Check if you are able to do so.
I am not able to login in one of the virtual consoles. It gives me a "Login Incorrect" message for fraction of second and then it again asks me for a username.
This confirms the issue is with PAM. Is SELinux set to enforcing? Are there any AVC denial messages? To check this run the below commands:
getenforce
sealert �a /var/log/audit/audit.log
I tried to run the command but it give me an error command not found.
---------- Post updated at 11:44 AM ---------- Previous update was at 11:32 AM ----------
getenforce command gave me Permissive as output.
put sealert gave me an error "command not found"
If SELinux is enabled and in enforcing mode, you need to install additional package for using sealert, which is setroubleshoot-server. Since you are in single user mode, you would not be able to take advantage of yum and you will need to install the rpm manually resolving the numerous dependencies.
An alternate way would be to just browsing through the audit.log file with something like this:
grep -Ei "fail|pam|denied" /var/log/audit/audit.log | more
I'm sure this is not a production server. Correct? How about reinstalling the OS? Without having access to the server, resolving this kind of issue is kind of tough. Let us see what other more experienced Linux admins have to say about this issue.
I also checked the /var/log/audit folder its empty.
Just saw your update. If SELinux is in permissive mode, then the issue should not be caused by SELinux AVC denials.
I also checked the /var/log/audit folder its empty. Is this an issue?
/var/log/audit/ directory could be empty when auditing subsystem is disabled. This is not an issue.
Anyway, if possible could you uninstall and reinstall PAM related packages?
rpm -qa | grep pam
rpm -ev pam-xyz.rpm
rpm -ivh pam-xyz.rpm
Lets hope for the best!!