saltgui PAM authentication error

ManiAm commented 6 months ago

I am using salt 3007.1.

I am following the instructions in the repos.

Cloned the repository:

git clone https://github.com/maerteijn/SaltGUI.git /srv/saltgui

Updated Salt master configs:

external_auth:
    pam:
        saltguiuser:
            - .*
            - '@runner'
            - '@wheel'
            - '@jobs'

# for SaltStack 3006 and higher
netapi_enable_clients:
    - local
    - local_async
    - runner
    - wheel

rest_cherrypy:
    port: 3333
    host: 0.0.0.0
    disable_ssl: true
    app: /srv/saltgui/saltgui/index.html
    static: /srv/saltgui/saltgui/static
    static_path: /static

added the new user and set password.

adduser saltguiuser
passwd saltguiuser

Restarted both services,

systemctl restart salt-master
systemctl restart salt-api

when i go to http://localhost:3333 I see the login page. But I am getting authentication error when I login with saltguiuser. What am I missing here?

I also tried to SSH into salt master host using the new user saltguiuser and it is working.

Update:

I made it working on Ubuntu 22.04.4 by running,

usermod -a -G shadow salt

But I am still facing the issue on salt master machine that is running on Centos 7. There exists no shadow group on that machine.

erwindon commented 6 months ago

usermod -a -G shadow salt

that instruction is also in the SaltGUI manual, no action for me

erwindon commented 6 months ago

But I am still facing the issue on salt master machine that is running on Centos 7. There exists no shadow group on that machine.

investigating now...

my CentOS 7 VM is damaged --> installing a new one --> done
following instructions from https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/centos.html#install-salt-on-centos-7-x86-64 --> done
testing salt command salt '*' test.ping --> ok, done
removing firewalld --> done (you did not have that problem when you saw the login screen)
SaltGUI login screen visible --> logon failed --> situation replicated

actually, /etc/shadow does exist on CentOS 7. however, it is not owned by unix group shadow (but group root) therefore the following command will give it the needed read-access: sudo setfacl -m u:salt:r /etc/shadow

erwindon commented 6 months ago

adduser saltguiuser

from a security point of view, personal accounts are better.

ManiAm commented 6 months ago

Hmm. Applied the command you mentioned:

sudo setfacl -m u:salt:r /etc/shadow

same issue.

salt -a pam --username=saltguiuser '*' test.ping

salt master service logs:

systemctl status salt-master

  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_vas*: pam_vas_do_conversation: done with conversation function
  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_vas*: pam_vas_do_conversation: PAM_VAS_CRED_AUTHTOKEN_REQUEST...HTOK.
  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_vas*: pam_vas_get_authtok: PAM_AUTHTOK contained an non-empty...ntial
  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_vas*: pam_vas_do_conversation: Got a non-empty response from ...ction
  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_vas*: pam_vas_echo_return: Found a previous return value, exi..."25".
  May 25 17:46:37 xxx unix_chkpwd[433852]: check pass; user unknown
  May 25 17:46:37 xxx [python3.6](http://python3.6/)[433848]: pam_unix(login:auth): authentication failure; logname= uid=437678...iuser
  May 25 17:46:39 xxx1 salt-master[407518]: [ERROR   ] Pam auth failed for saltguiuser:
  May 25 17:46:39 xxx salt-master[407518]: [WARNING ] Authentication failure of type "eauth" occurred.
  May 25 17:46:39 xxx salt-master[407518]: [WARNING ] Authentication failure of type "eauth" occurred.

erwindon commented 6 months ago

salt -a pam --username=saltguiuser '*' test.ping

I cannot remember that this is how the salt-command can be used. The user saltguiuser has access to the salt-api, but not to the regular salt-eventbus which the salt command uses.

Can you run these read-only commands:

sudo -u salt id
sudo getfacl /etc/shadow
sudo -u salt grep salt /etc/shadow

ManiAm commented 6 months ago

sudo -u salt id

uid=978(salt) gid=968(salt) groups=968(salt)

sudo getfacl /etc/shadow

getfacl: Removing leading '/' from absolute path names
# file: etc/shadow
# owner: root
# group: root
user::---
user:salt:r--
group::r--
mask::r--
other::---

sudo -u salt grep salt /etc/shadow

salt:!!:19674::::::
saltguiuser:$6$g/yFfKJM$FZo5dDQn3PMYNlxZmJIuMGfiV1yTeI.b9UVjYRtJw3.TTqw1YaMS/g70jYVNn8fNEd/ZKkt23Yzy7lMXzX8xP/:19869:0:99999:7:::

erwindon commented 6 months ago

sudo -u salt grep salt /etc/shadow

The grep was intended so that no secrets would leak (compared to cat) by selecting only the salt user. I forgot that you used saltguiuser. Sorry!

This command indicates that the salt user (as used by salt-master and salt-api) is properly set up. It can read the /etc/shadow file, as required for all programs that implement classic logins (in this case via the pam plugin pam_unix).

I'm assuming that you did not change the PAM configuration on this machine.

There is now just two things that I can suggest: 1) Reboot and try again, just in case there is a component that still uses old settings; or (when that still does not work) 2) Are you actually using the correct password for user saltguiuser? Please change it using sudo passwd saltguiuser and try again.

After that, I cannot help you further with suggestions, as I cannot replicate the error.

ManiAm commented 5 months ago

ok will check those. thanks!

erwindon / SaltGUI

saltgui PAM authentication error #587