chsh: PAM: Authentication failure

[jbarop]

Hi,

I can't get the latest version to run. 0.4.4 works fine.

docker run -it -p 1234:22 \
     -e MFA_PROVIDER=google-authenticator \
     -v ~/.ssh/authorized_keys:/root/.ssh/authorized_keys \
     cloudposse/bastion:latest

Initializing duo
Initializing enforcer
- Enabling Enforcer
- Enabling Clean Home
Initializing google-authenticator
- Enabling Google Authenticator MFA
Initializing hostname
Initializing rate-limit
- Enabling Rate Limits
- Users will be locked for 300s after 5 failed logins
- Fail delay of 3000000 micro-seconds
Initializing secure-proc
- Locking down /proc
Initializing slack
Initializing ssh-audit
- Enabling SSH Audit Logs
Password:

It ask for an password and then outputs:

chsh: PAM: Authentication failure
FATAL: Failed to initialize

System: macOS 10.14.5 with Docker version 18.09.2, build 6247962

[maikelmertens]

Have the same problem with 0.5.0, switching back to 0.4.4 does work fine though.

[joshes]

If you can run without SSH_AUDIT_ENABLED you can workaround via:

• add SSH_AUDIT_ENABLED=false to your bastion.env file
• docker-compose down -v (stop the stack and remove old volumes)
• docker-compose up (should work now if configured correctly)

Looked into the root issue, but no joy yet.

[DownRangeDevOps]

The reason you're getting a password prompt is because of a missing or misconfigured PAM module. To use chsh without a password prompt, two things must be true.

The pam_shells.so module must be active (usually in /etc/pam.d/chsh):

auth     required     pam_shells.so

And the current shell you're using, plus the shell you want to change to, must be listed in /etc/shells.

I'll open a PR with the fix.

[ajhool]

@joshes is there a security concern with disabling that flag?

[akomlik]

the simple fix would be to run usermod -s /usr/bin/sudosh root instead in /etc/init.d/ssh-audit script

[max-lobur]

Fixed in master now