Corruption of /etc/pam.d/password-auth and system-auth files

Latest response

Dear Team,
i have redhat 7.7, i was doing hardening after edited /etc/pam.d/password-auth and system-auth, i was trying to enable user locked after trying 3 time with wrong password accout to be locked.

after saving my config i was not able login with my admin account and none of the user is able to login as well

how i reverted the changes.

  1. login in in server trough single user mode and try to delete the entries added.
    2.Reboot the server but still am not able to login.

please guide me how i can restore my two files in original state.

Responses

Hi Etienne Rwakineza,

As per the documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services

The order of lines in the failed attempt log files is important. Any change in this order can lock all user accounts, including the root user account when the even_deny_root option is used.

So, any small changes would severely impact the operation if not defined properly. If this file is corrupted then this could be copied from a similar node as root user which has the defaults not yet tuned/changed. Otherwise, one could extract the file from respective 'pam' package. I could extract such files on my virtual system from pam package as shown below:

[root@test pamfiles]# rpm2cpio /media/Packages/pam-1.1.8-22.el7.x86_64.rpm |cpio --extract --make-directories --verbose "*system-auth" "*password-auth"
./etc/pam.d/password-auth
./etc/pam.d/system-auth
5246 blocks
[root@test pamfiles]# tree
.
└── etc
    └── pam.d
        ├── password-auth
        └── system-auth

2 directories, 2 files

Later, move these files to the required location. Otherwise, simply copy the contents to the original pam file in order to avoid any SELinux context tagging issues. I'm not sure if you've already tried out these.

I hope this helps.

I have almost the same issue, and I am not able to login to the server with any user including root account. Is there any way to login to the server other than single user mode, because it's a production server?

Thanks in advance.