6 Replies Latest reply on Jun 19, 2019 5:03 AM by Ana Lorite

    ssh credential gets locked

    Ana Lorite
      Share This:

      Hi all,

       

      Good morning.

       

      In some cases, the ssh credential is getting locked. After succesful ssh logins, these credentials are getting failed ssh login attempts.

       

      If we login in one of these hosts, and execute the pam_tally2 command, the output is:

       

      [root@dtrcsrv04 ~]# pam_tally2 --user=discovery

      Login           Failures Latest failure     From

      discovery         110    05/23/19 12:29:13  dvryscn02.bankinter.bk

       

      If we unlock the user, the ssh credentials works fine again:

       

      [root@dtrcsrv04 ~]# pam_tally2 --user=discovery --reset

      Login           Failures Latest failure     From

      discovery         110    05/23/19 12:29:13  dvryscn02.bankinter.bk

      [root@dtrcsrv04 ~]# pam_tally2 --user=discovery

      Login           Failures Latest failure     From

      discovery           0

       

      Do you have any feedback of a similar behaviour?

       

      Thanks in advance.

       

      Ana.

        • 1. Re: ssh credential gets locked
          Ondrej Kieler

          Hi,

          don't you have more than one ssh credentials which is using the same username stored on your scanner?

          • 2. Re: ssh credential gets locked
            Ana Lorite

            Thanks for your anwser and your help.

             

            It seems this lock issue is due to errors in sudo commands.

             

            My customer doesn't allow an user with sudo privileges so we've defined commands + parameters with sudo privileges. And it is a constant source of errors.

             

            sudo] password for BTDiscovery:

            Sorry, try again.

            [sudo] password for BTDiscovery:

            Sorry, try again.

            [sudo] password for BTDiscovery:

            Sorry, try again.

            sudo: 3 incorrect password attempts

            __TIDEWAY_CMD_END__

             

            Thanks again.

             

            Ana.

            1 of 1 people found this helpful
            • 3. Re: ssh credential gets locked
              Andrew Waters

              You mean you have created sudo configuration which only allows some command with specific arguments?

              1 of 1 people found this helpful
              • 4. Re: ssh credential gets locked
                Ana Lorite

                Hi Andrew.

                 

                Yes, I mean this.

                 

                There is a file in /etc/sudoers.d with the sudo configuration.

                 

                Regards, Ana.

                • 5. Re: ssh credential gets locked
                  Andrew Waters

                  What have you got set up locking the account - PAM?

                  • 6. Re: ssh credential gets locked
                    Ana Lorite

                    Hi Andrew,

                     

                    I would like to add some context: my client didn't allow having a user with sudo privileges at all. Therefore, the only alternative suitable to provide good discovery capabilities was to define which specific and restricted commands would be allowed to the ssh user using sudo. I used the Linux.sh script as the starting point.

                     

                    So we realized the wrong definition of one of these specific and restricted commands causes PAM to lock the user account.

                     

                    In particular, the definition of the pvs command was wrong so Discovery tried to execute under sudo a non allowed command. The correct definition is:

                     

                    Cmnd_Alias PVS =        /sbin/pvs --noheadings --separator ['\,]*  -o pv_name\,vg_name

                     

                    So I'll have to ckeck from time to time the correct definition of that file and the logs messages in the session.log file.

                     

                    Thanks for your time.

                     

                    Regards, Ana.

                    2 of 2 people found this helpful