Closed c0c0n3 closed 5 months ago
oh, forgot to mention. If you try this long enough, after a couple of reboots you may wind up with both tty
and SSH logins being bust. The only way you can log in with either user is with SSH+key. Go figure!
PAM's actually what makes TTY and SSH logins as journalctl
reports
Apr 04 19:19:55 devm login[896]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/ttyAMA0 ruser= rhost= user=admin
Apr 04 19:20:23 devm sshd[1083]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=admin
Well, it turns out Agenix/Agez/PAM actually have nothing to do with the account lockout. And the account lockout isn't really a lockout. What? Yep, that's right. The problem is between VS code and the Apple Terminal on my laptop! In fact, I was copy-pasting the passwords from VS Code into the terminal (SSH password prompt) and the password string that got sent over to the dev VM contained ANSI (colour) escape codes!
I realised that only after tracing sys calls sshd
and its sub-processes were making in the dev VM:
$ sudo strace -f -s 10000 -p $(cat /run/sshd.pid) -o dump.txt
Now after getting the middle finger from the server on an SSH login with a password of root2
, I looked at the dump and found the actual password SSH got was \21\33[200~root2\33[201~
, see the snippet below from the dump.
1116 write(5, "\0\0\0\1\0\0\0\21\33[200~root2\33[201~", 25) = 25
Users can't log in through SSH with passwords anymore after deploying Age-encrypted secrets and rebooting the system. This happens both if you use Agenix or our own Agez module. Notice passwords now are
yescrypt
-hashed which is what PAM expects---e.g. runrg '^password ' /etc/pam.d/*
. (At least in NixOS 23.11; also see this about it.)Here's the steps to reproduce
odbox.vault.snakeoil.enable = true
).odbox.vault.agez.enable = true
) with a fresh set of secrets.tty
logins.tty
with both the admin and root users. This should still work.Even if you retry (9) after 30 mins, the accounts are still locked out. Notice sometimes you get slight variations on the theme where e.g. (9) works but (10) won't. Also, this is what I got when I was using SHA512 hashes instead of
yescrypt
odbox.vault.snakeoil.enable = true
).odbox.vault.agez.enable = true
) with a fresh set of secrets.ssh -i nodes/devm-aarch64/generated/ssh/id_ed25519 admin@localhost
tty
with both the admin and root users. This should not work anymore.Notice passwords are actually set correctly in shadow. e.g.
What a fantabulous mess!