Rocky Linux 9 Erroring on Login Attempt

Question

Rocky Linux 9 Erroring on Login Attempt

livwel-populus opened this issue 10 months ago · 11 comments

Describe the bug

When attempting to sign into Linux (via ssh) with a Keycloak user, a permission denied error is given. Keycloak does not provide any events and /var/log/kc-ssh-pam.log does not exist.

Client error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

journalctl error:

Feb 15 18:27:47 xxx sshd[2525]: Invalid user aka from xxx.xxx.xx.xx port xxxx
Feb 15 18:27:47 xxx sshd[2525]: PAM _pam_load_conf_file: unable to open config for postlog:q
Feb 15 18:27:47 xxx sshd[2525]: Connection closed by invalid user aka xxx.xxx.xx.xx port xxxxx [preauth]

To Reproduce

Steps to reproduce the behavior:

Follow the configuration steps on the Github.
After restarting sshd, attempt to ssh into Linux with a Keycloak user
See error

Expected behavior

To be able to log in and to have the Linux user created.

Desktop (please complete the following information):

OS: Rocky Linux
Browser N/A
Version 9

Additional context

Rocky did not have libpam-script but it did have pam_script, which is what I installed.
Following the configuration, the steps said that "the contents of /usr/share/libpam-script/pam_script_auth should be..." however, the file already existed and was not empty. I removed the contents of the file and pasted what was explained in the tutorial.

Answer 1 · 2024-02-16T01:04:43.000Z

Hello @livwel-populus
Can you check if Selinux is enforced, if yes can you set it to permissive and test again.

Answer 2 · 2024-02-16T15:32:26.000Z

After enabling password authentication in SSH, disabling require SSL in Keycloak, and setting Selinux to permissive. We still cannot ssh:

livwel:/var/log $ ssh aka@xx.xx.xxx.x
aka@xx.xx.xxx.x's password: 
Permission denied, please try again.
aka@xx.xx.xxx.x's password:

I can however get the token via echo:

[rocky@xxx.xx.xx.xxx kc-ssh-pam]$ echo aka | ./kc-ssh-pam 
2024/02/16 15:25:48 Token acquired and verified Successfully.

Here is the event in Keycloak:

Also we are not using OTP

Answer 3 · 2024-02-16T19:38:52.000Z

After testing with OTP, we still get the same issues as above.

Answer 4 · 2024-02-17T12:00:07.000Z

can you create the user manually on the system with any password , and then try again.
Let me know how it goes, i will try to reproduce the issue

Answer 5 · 2024-02-21T16:18:38.000Z

We made a new user and they were not able to get it. After commenting out
#auth include postlog:q
from /etc/pam.d/sshd, we were able to get in with the new user. However, we are still failing to log in as a Keycloak user and are getting the following error in /var/log/kc-ssh-pam.log
2024/02/21 16:13:54 Failed to retrieve token: HTTP request failed with status code 401

The Keycloak Admin Console events shows that the credentials are invalid but I am confident that I am typing them properly.

Answer 6 · 2024-02-24T17:02:52.000Z

I am a bit busy at the moment, i will try to reproduce it very soon and test this

Answer 7 · 2024-03-08T14:23:27.000Z

Any updates on this?

Answer 8 · 2024-03-13T18:07:51.000Z

Hello,

I have the same issue. Any updates ?

Answer 9 · 2024-03-15T10:41:28.000Z

I am unable to reproduce this issue.
Here are the steps i have taken.

Install Rockey linux in virtualbox

NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

SSH into the machine and stop firewalld

systemctl stop firewalld

Set Selinux to permissive

setenforce 0

Downloaded the rpm from github

wget https://github.com/kha7iq/kc-ssh-pam/releases/download/v0.1.3/kc-ssh-pam_amd64.rpm

Install

[root@10 ~]# rpm -i kc-ssh-pam_amd64.rpm

Edit the config file /opt/kc-ssh-pam/config.toml to input client details
Add pam exec args to vi /etc/pam.d/sshd so it looks like following.

#%PAM-1.0
auth sufficient pam_exec.so expose_authtok log=/var/log/kc-ssh-pam.log /opt/kc-ssh-pam/kc-ssh-pam
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

Add a user manually ( local username has to match the username in keycloak)

useradd aka -m

Login via ssh and provide the keycloak username and password

❯ ssh aka@192.168.1.6
aka@192.168.1.6's password: 
[aka@10 ~]$ whoami
aka

add another user and login again

❯ ssh ak@192.168.1.6         
ak@192.168.1.6's password: 
Last login: Fri Mar 15 15:25:38 2024 from 192.168.1.9
[ak@10 ~]$ whoami
ak

Answer 10 · 2024-03-17T07:10:57.000Z

The issue is being caused by Selinux, you have to set it to permissive. You can keep the firewall enabled.

Answer 11 · 2024-04-04T07:54:45.000Z

Closing the task as there has been no response, Reopen if you have further questions.