search

cloudposse / bastion

🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DUO MFA support
https://cloudposse.com/accelerate
Apache License 2.0
640 stars 112 forks source link

PAM: Module is unknown for root from <IP> #38

Closed ddnomad closed 5 years ago

ddnomad commented 5 years ago

So I was testing the project on AWS EC2 instance in docker container. After a fairly quick setup I received the following error when trying to login (server logs);

PAM: Module is unknown for root from <IP>
Connection closed by authenticating user root <IP> port 3445 [preauth]

The following is an original SSH command executed from my local host;

ssh -p 1234 root@<ip>

Key authentication passed successfully and I was prompted for SSH key password.

This is a Makefile I've used to setup the whole thing on EC2 instance;

SHELL := bash
MAKEFLAGS += --warn-undefined-variables
.SHELLFLAGS := -euo pipefail -c

DOCKER_OPTS := \
        -it \
        -e MFA_PROVIDER=duo \
        -e DUO_IKEY=<redacted> \
        -e DUO_SKEY=<redacted> \
        -e DUO_HOST=<redacted> \
        -e SLACK_ENABLED=true \
        -e SLACK_WEBHOOK_URL=<redacted> \
        -v `pwd`/authorized_keys:/root/.ssh/authorized_keys \
        -p 1234:22

.PHONY: all
all:

.PHONY: dbuild
dbuild:
        docker build . -t cloudposse/bastion:latest

.PHONY: drun
drun: dbuild
        docker run $(DOCKER_OPTS) \
                cloudposse/bastion:latest

I think the root cause is some DUO-related issues, probably related to https://github.com/cloudposse/bastion/issues/34.

Any clue where I went wrong with the setup?

osterman commented 5 years ago

@ddnomad thanks for reporting! Could you try an earlier release and see if it works? If so, then it's probably a regression recently introduced and I'll have someone on my team take a closer look. Try release 0.2.0 or 0.1.4.

ddnomad commented 5 years ago

@osterman thanks for reaching out. Not sure I'll be able to test it anytime soon, got focus moved to other stuff meanwhile.

Will get back to you tho as soon as it's tested.

paulcalabro commented 5 years ago

I encountered this error as well. I tried every version going down to 0.2.0 I can confirm that none of them worked until I got to 0.2.0.

paulcalabro commented 5 years ago

I was able to resolve this by updating /etc/pam.d/duo to this:

#%PAM-1.0
auth requisite /lib64/security/pam_duo.so conf=/etc/pam_duo.conf

which makes sense given the documentation:

Depending on your OS or architecture, the pam_duo.so module might be in /lib64/security instead of the default location /lib/security. If so, specify the full path to pam_duo.so in the PAM config file, such as /lib64/security/pam_duo.so.

[https://duo.com/docs/duounix]

osterman commented 5 years ago

@paulcalabro thanks for the update!

If you can submit a PR for this, we'll promptly review.