can not open module /usr/lib/security/pam_hbac.so

[amrik06]

Hello Jhrozek,

I am trying to implement the HBAC rules from IDM on AIX 7.2 test Server.

================================================================ I have compiled the latest pam_hbac1.2.1 from Git which was successful. But if i can still able to login with user which is restricted on HBAC Rules.

Sharing list of config files for your analysis or hint

root@mytestAIX /usr/lib/security

ldd /usr/lib/security/pam_hbac.so

/usr/lib/security/pam_hbac.so needs: /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/libgcc_s.a(shr.o) /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/../../../libglib-2.0.a(libglib-2.0.so.0) /usr/lib/libintl.a(libintl.so.8) /usr/lib/libldap.a(libldap-2.5.so.0) ar: 0707-108 File /usr/lib/libldap.a is not an archive file. dump: /tmp/tmpdir9306596/extract/libldap-2.5.so.0: 0654-106 Cannot open the specified file. /usr/lib/libc.a(shr.o) /usr/lib/libpthread.a(shr_xpg5.o) /usr/lib/libpam.a(shr.o) /opt/freeware/lib/libiconv.a(libiconv.so.2) /usr/lib/libpthreads.a(shr_xpg5.o) /unix /usr/lib/libcrypt.a(shr.o) /usr/lib/libpthreads.a(shr_comm.o) /usr/lib/libmls.a(shr.o) /usr/lib/libmlsenc.a(shr.o) /usr/lib/libodm.a(shr.o) root@mytestAIX /usr/lib/security

/etc/pam.conf #

Account Management

# authexec account required pam_aix dtlogin account required pam_aix ftp account required pam_aix login account required pam_aix rexec account required pam_aix rlogin account required pam_aix rsh account required pam_aix su account sufficient pam_allowroot su account required pam_aix swrole account required pam_aix telnet account required pam_aix xdm account required pam_aix sshd account required pam_aix sshd account required /usr/lib/security/pam_hbac.so ignore_unknown_user ignore_authinfo_unavail sudo account required pam_aix OTHER account required pam_prohibit

/etc/security/login.cfg usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/snappd,/usr/sbin/sliplogin maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = PAM_AUTH mkhomeatlogin = true authcontroldomain = LDAP pwd_algorithm = ssha256

Message reported in syslog if try to login with restrict user ( Confidential details here changed like IP and hostname) Aug 16 16:50:39 mytestAIX auth|security:err|error sshd: PAM: load_modules: can not open module /usr/lib/security/pam_hbac.so Aug 16 16:50:39 mytestAIX auth|security:err|error sshd: PAM: load_modules: pam_sm_acct_mgmt() missing Aug 16 16:50:39 mytestAIX auth|security:info sshd[13238654]: Accepted keyboard-interactive/pam for testuser from 1.1.1.1 port 53600 ssh2

[amrik06]

Hello,

I just renamed the /usr/lib/libldap.a to /usr/lib/libldap.a.bkp. Tried running ldd on pam_hbac.so which reports following output:

ldd /usr/lib/security/pam_hbac.so

/usr/lib/security/pam_hbac.so needs: /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/libgcc_s.a(shr.o) /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/../../../libglib-2.0.a(libglib-2.0.so.0) /usr/lib/libintl.a(libintl.so.8) /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/../../../libldap.a(libldap-2.5.so.0) /usr/lib/libc.a(shr.o) /usr/lib/libpthread.a(shr_xpg5.o) /usr/lib/libpam.a(shr.o) /opt/freeware/lib/libiconv.a(libiconv.so.2) /usr/lib/libpthreads.a(shr_xpg5.o) /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/../../../liblber.a(liblber-2.5.so.0) /opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8/../../../libsasl2.a(libsasl2.so.3) /usr/lib/libs.a(shr.o) /usr/lib/libssl.a(libssl.so.1.1) /usr/lib/libcrypto.a(libcrypto.so.1.1) /unix /usr/lib/libcrypt.a(shr.o) /usr/lib/libpthreads.a(shr_comm.o) /usr/lib/libmls.a(shr.o) /usr/lib/libdl.a(shr.o) /usr/lib/librtl.a(shr.o) /usr/lib/libmlsenc.a(shr.o) /usr/lib/libodm.a(shr.o)

I dont know weather pam_hbac is referring to correct libraries or not. But when i tried to login with blocked IDM user in HBAC rules, AIX allows me to login but can see following message in syslog.

tail -f /var/log/debug.log

Aug 20 09:38:10 mytestAIX auth|security:err|error sshd: PAM: load_modules: can not open module /usr/lib/security/pam_hbac.so Aug 20 09:38:10 mytestAIX auth|security:err|error sshd: PAM: load_modules: pam_sm_acct_mgmt() missing Aug 20 09:38:10 mytestAIX auth|security:info sshd[6095316]: Accepted keyboard-interactive/pam for testuser from 1.1.1.1 port 59896 ssh2

Permission or ownership of pam_hbac.so module

root@mytestAIX /usr/lib/security

ls -lrt pam_hbac*

-rwxr-xr-x 1 root security 177 Aug 15 09:33 pam_hbac.conf -r--r--r-- 1 root security 612360 Aug 19 18:06 pam_hbac.so -rwxr-xr-x 1 root security 617767 Aug 19 18:06 pam_hbac.a -rwxr-xr-x 1 root security 965 Aug 19 18:06 pam_hbac.la