Comments (1)
rndmh3ro
commented on June 18, 2024
The reason:
- systemd creates a file
/run/nologin, preventing login to the system to users (except for root) - that file normally is deleted by the systemd service
systemd-user-sessions.service(see https://man.archlinux.org/man/systemd-user-sessions.service.8.en). However this service never starts in the failing containers (idk why), thus the file does not get deleted - this normally does not present a problem since we login into the container as root
- however we check that our pam-config works by simulating a login with pam-tester
- here's the output of the underlying library:
>>> import pam
>>> p = pam.pam()
>>> p.authenticate('testuser', 'root') # -> could not authenticate, although password is correct
False
>>> print(p.code)
7
>>> print(p.reason)
Authentication failure
>>> p.messages
['Password: ', '"System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."']
- removing the nologin-file is enough to make it work
More info:
- https://access.redhat.com/solutions/6408321
- https://access.redhat.com/discussions/4321031
- https://stackoverflow.com/questions/58682387/error-while-trying-to-ssh-a-docker-container-system-is-booting-up
from ansible-collection-hardening.
Related Issues (20)
- No such file directory error triggered by the kernel.unprivileged_userns_clone configuration HOT 1
- Feature Request: Alpine support for ssh hardening HOT 1
- Make value of kernel.unprivileged_userns_clone depending on kernel version HOT 4
- Test multiple supported Ansible versions HOT 2
- Extend ansible-lint testing to cover our test cases
- Amazon Linux gpg check fails HOT 1
- Fails to install HOT 2
- 9.0.0 version number in galaxy.yml file is wrong HOT 1
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 HOT 2
- syslog-group not existing in Ubuntu 22.04 minimal HOT 1
- Ansible Linting HOT 2
- Task "Configure hardened options for mounts" overrides fstab entries with UUID or LABEL as source with device path HOT 2
- Make Publickey authentication configurable HOT 1
- Error: Missing privilege separation directory: /run/sshd HOT 11
- Add pam.d flags to maintain compatiblity with FreeIPA deployments. HOT 1
- `ssh_gateway_ports` is documented to accept 'clientspecified' string, but only accepts bools HOT 1
- os_hardening fails when setting vm.mmap_rnd_bits HOT 3
- Release 9.0.2 HOT 1
- Support systemd socket activation for sshd HOT 2
- Ubuntu 24.04 support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-collection-hardening.