Skip to content
This repository has been archived by the owner on Dec 26, 2020. It is now read-only.

User login failed after running this module #114

Closed
haf opened this issue May 23, 2017 · 3 comments
Closed

User login failed after running this module #114

haf opened this issue May 23, 2017 · 3 comments
Labels
bug

Comments

@haf
Copy link

haf commented May 23, 2017
edited
Loading

Problem: this module stops one new user from logging in, but not the default ubuntu vagrant user.

I've set up the user/playbook like so:

  - role: dev-sec.os-hardening
  #- role: dev-sec.ssh-hardening
  #  sftp_enabled: true
  - role: sansible.users_and_groups
    users_and_groups:
      authorized_keys_dir: /etc/ssh/authorized_keys
      groups:
      - name: sftp-only
      users:
      - name: myuser
        groups:
        - sftp-only
        home: /home/myuser
        ssh_key: ./myuser.pub

If I comment in this module in the above playbook, I get this error in /var/log/auth.log:

May 23 18:05:21 ubuntu-xenial sshd[26236]: Connection from 10.0.2.2 port 59156 on 10.0.2.15 port 22
May 23 18:05:21 ubuntu-xenial sshd[26236]: User myuser not allowed because account is locked
May 23 18:05:21 ubuntu-xenial sshd[26236]: input_userauth_request: invalid user myuser [preauth]
May 23 18:05:21 ubuntu-xenial sshd[26236]: error: maximum authentication attempts exceeded for invalid user myuser from 10.0.2.2 port 59156 ssh2 [preauth]
May 23 18:05:21 ubuntu-xenial sshd[26236]: Disconnecting: Too many authentication failures [preauth]
May 23 18:05:31 ubuntu-xenial su[22231]: pam_unix(su:session): session closed for user myuser

It's running on xenial64, the 16.04 LTS of Ubuntu.

Provisioning the node without this module makes it possible access both SSH and SFTP with the newly created user.
@rndmh3ro rndmh3ro added the bug label May 25, 2017
@rndmh3ro
Copy link
Member

I'm failing in reproducing your example code because the users_and_groups module failed for me at two different spots.

The hardening module sets the following:

# Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2

Can you set that to 10 and see if it fixes your problem? This seems to be a problem with the authentication.

@haf
Copy link
Author

haf commented May 29, 2017
edited
Loading

Hello, I believe I tried that, but I can't be sure I set -o IdentityFile=myuser, but I'm sorry to say that I rewrote this module myself from scratch while waiting for a reply and then it works. I also tried rebooting the machine with a different setting on ssh_max_auth_retries, so I believe that I'm correct in filing this bug report.

I'll leave up to you to choose what to do with this issue, to close or to keep. I'm fine with both, but I won't participate with this module any more. I still use your os hardening though.

@rndmh3ro
Copy link
Member

Since I cannot reproduce the bug, I'll close it. If someone else ahs this bug I'll reopen it.
Thanks for bringing it to our attention though!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haf @rndmh3ro