[gentoo-user] pam_get_uid: no such user

[gentoo-user] pam_get_uid: no such user

[Daniel Frey]

I updated my "server" a while back, and just recently I noticed this in
/var/log/messages:

Feb 13 11:26:14 coretwoduo login[25575]: pam_tally2(login:auth):
pam_get_uid; no such user

I have thousands of entries in my logs. It doesn't seem to  prevent me
from logging in though.

I have figured out that it's looking for a user 'auth'? I don't see that
on my system.

Is this a misconfiguration of pam? Or update gone wonky? I've never seen
this before.

Dan

[gentoo-user] Re: pam_get_uid: no such user

[walt]

On 02/13/2013 11:29 AM, Daniel Frey wrote:
> I updated my "server" a while back, and just recently I noticed this in
> /var/log/messages:
> 
> Feb 13 11:26:14 coretwoduo login[25575]: pam_tally2(login:auth):
> pam_get_uid; no such user
> 
> I have thousands of entries in my logs. It doesn't seem to  prevent me
> from logging in though.
> 
> I have figured out that it's looking for a user 'auth'? I don't see that
> on my system.
> 
> Is this a misconfiguration of pam? Or update gone wonky? I've never seen
> this before.

For sure there is no user named auth on my machines, so something must be
wrong somewhere.  Just for fun I ran "emerge -p /etc/pam.d/ and got this:

#emerge -p /etc/pam.d/

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-auth/pambase-20120417-r1 
[ebuild   R    ] sys-apps/shadow-4.1.5.1-r1 
[ebuild   R    ] net-mail/mailbase-1.1 
[ebuild   R    ] app-admin/sudo-1.8.6_p6 
[ebuild   R    ] sys-auth/polkit-0.110 
[ebuild   R    ] sys-apps/openrc-0.11.8 
[ebuild   R    ] net-print/cups-1.6.1 
[ebuild   R    ] net-misc/openssh-6.1_p1-r1 
[ebuild   R    ] net-fs/samba-3.6.12 

I mention this mostly because I learned very recently that emerge will
accept a directory name and rebuild all of the packages that install
files there.  Maybe it won't help you but I'm looking for any excuse
to use that new trick :)  (Some wise gentooer posted that revelation
here in the last month or so and I can't recall who it was, sorry.)

Re: [gentoo-user] Re: pam_get_uid: no such user

[Daniel Frey]

On 02/13/2013 02:51 PM, walt wrote:
> 
> For sure there is no user named auth on my machines, so something must be
> wrong somewhere.  Just for fun I ran "emerge -p /etc/pam.d/ and got this:
> 
> #emerge -p /etc/pam.d/
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild   R    ] sys-auth/pambase-20120417-r1 
> [ebuild   R    ] sys-apps/shadow-4.1.5.1-r1 
> [ebuild   R    ] net-mail/mailbase-1.1 
> [ebuild   R    ] app-admin/sudo-1.8.6_p6 
> [ebuild   R    ] sys-auth/polkit-0.110 
> [ebuild   R    ] sys-apps/openrc-0.11.8 
> [ebuild   R    ] net-print/cups-1.6.1 
> [ebuild   R    ] net-misc/openssh-6.1_p1-r1 
> [ebuild   R    ] net-fs/samba-3.6.12 
> 
> I mention this mostly because I learned very recently that emerge will
> accept a directory name and rebuild all of the packages that install
> files there.  Maybe it won't help you but I'm looking for any excuse
> to use that new trick :)  (Some wise gentooer posted that revelation
> here in the last month or so and I can't recall who it was, sorry.)
> 

Well, I did some poking around and googling, and it does appear like a
configuration issue. I'm in the middle of syncing right now, hopefully
an update will fix it.

Others reported issues of not being able to log in at all.

One other thing I noticed is my crons stopped running around the same
time, I'll bet it's related.

Dan

Re: [gentoo-user] Re: pam_get_uid: no such user

[Daniel Frey]

On 02/13/2013 02:51 PM, walt wrote:
> 
> For sure there is no user named auth on my machines, so something must be
> wrong somewhere.  Just for fun I ran "emerge -p /etc/pam.d/ and got this:
> 
> #emerge -p /etc/pam.d/
> 
> These are the packages that would be merged, in order:
> 
> Calculating dependencies... done!
> [ebuild   R    ] sys-auth/pambase-20120417-r1 
> [ebuild   R    ] sys-apps/shadow-4.1.5.1-r1 
> [ebuild   R    ] net-mail/mailbase-1.1 
> [ebuild   R    ] app-admin/sudo-1.8.6_p6 
> [ebuild   R    ] sys-auth/polkit-0.110 
> [ebuild   R    ] sys-apps/openrc-0.11.8 
> [ebuild   R    ] net-print/cups-1.6.1 
> [ebuild   R    ] net-misc/openssh-6.1_p1-r1 
> [ebuild   R    ] net-fs/samba-3.6.12 
> 
> I mention this mostly because I learned very recently that emerge will
> accept a directory name and rebuild all of the packages that install
> files there.  Maybe it won't help you but I'm looking for any excuse
> to use that new trick :)  (Some wise gentooer posted that revelation
> here in the last month or so and I can't recall who it was, sorry.)
> 

I've poked into this a bit more, and every 60 seconds 5 attempts at
logon are being made. I am thinking that the install is corrupted now -
I had a SSD fail in this machine, and I was able to recover the data off
of it. I'm now thinking that maybe wasn't such a good idea...

I've tried disabling cron and it still does it, and my crons are not
running still, so I'm thinking something is borked on the box.

This weekend I'll reformat & reinstall.

Dan

Re: [gentoo-user] pam_get_uid: no such user

[Stroller]

On 14 February 2013, at 04:13, Daniel Frey wrote:
> ...
> I've poked into this a bit more, and every 60 seconds 5 attempts at
> logon are being made… This weekend I'll reformat & reinstall.

Excuse me if this is a dumb question, but does this machine have any ports open to the internet?

This thread reminds me of how we sometimes hear of logfiles full of many ssh attempts made by script kiddies and botnets.

Stroller.

Re: [gentoo-user] pam_get_uid: no such user

[Paul Klos]

Op donderdag 14 februari 2013 04:56:53 schreef Stroller:
> 
> On 14 February 2013, at 04:13, Daniel Frey wrote:
> > ...
> > I've poked into this a bit more, and every 60 seconds 5 attempts at
> > logon are being made… This weekend I'll reformat & reinstall.
> 
> Excuse me if this is a dumb question, but does this machine have any ports open to the internet?
> 
> This thread reminds me of how we sometimes hear of logfiles full of many ssh attempts made by script kiddies and botnets.
> 
> Stroller.
> 
> 
Same here, I've seen multitudes of messages like this, with different user names, in log files on servers with open ports 22. As long as you don't allow interactive logins you shoud be fine, right?

I think there might also be some advanced iptables hacking that might help you block too many requests from the same source IP. This is still on my list of stuff to look at 'some time'.

One thing I have used with apparent succes is access a different port on the outside, and redirect that to 22 on the inside. It's security through obscurity, I know, but it seemed quite effective nonetheless.

Cheers,

Paul

Re: [gentoo-user] pam_get_uid: no such user

[Alan McKinnon]

On 14/02/2013 18:51, Paul Klos wrote:
> Op donderdag 14 februari 2013 04:56:53 schreef Stroller:
>>
>> On 14 February 2013, at 04:13, Daniel Frey wrote:
>>> ...
>>> I've poked into this a bit more, and every 60 seconds 5 attempts at
>>> logon are being made… This weekend I'll reformat & reinstall.
>>
>> Excuse me if this is a dumb question, but does this machine have any ports open to the internet?
>>
>> This thread reminds me of how we sometimes hear of logfiles full of many ssh attempts made by script kiddies and botnets.
>>
>> Stroller.
>>
>>
> Same here, I've seen multitudes of messages like this, with different user names, in log files on servers with open ports 22. As long as you don't allow interactive logins you shoud be fine, right?
> 
> I think there might also be some advanced iptables hacking that might help you block too many requests from the same source IP. This is still on my list of stuff to look at 'some time'.
> 
> One thing I have used with apparent succes is access a different port on the outside, and redirect that to 22 on the inside. It's security through obscurity, I know, but it seemed quite effective nonetheless.


That's fuzzy-feel-good security, the kind where you feel all warm and
fuzzy and think you have protection. You don't, not even a little bit.

All the l33t h@ckzor scripts out there can deal with simple port
redirection.

The solution you want is denyhosts, fail2ban, etc. There's a lot of
software in that general category and it gets the job done properly.

If you want to persist with obfuscated redirection, implement port
knocking. It works, but it gets to be a pain rather quickly.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] pam_get_uid: no such user

[Daniel Frey]

On 02/13/2013 08:56 PM, Stroller wrote:
> 
> On 14 February 2013, at 04:13, Daniel Frey wrote:
>> ...
>> I've poked into this a bit more, and every 60 seconds 5 attempts at
>> logon are being made… This weekend I'll reformat & reinstall.
> 
> Excuse me if this is a dumb question, but does this machine have any ports open to the internet?
> 
> This thread reminds me of how we sometimes hear of logfiles full of many ssh attempts made by script kiddies and botnets.
> 
> Stroller.
> 
> 

This particular machine doesn't have ssh/xinetd or the like routed from
outside the local LAN.

I scoured through the logs and the problem started Jan 29th (this is the
day my SSD died.)

I have set up xinetd to spawn remote desktop sessions to X (again, not
from outside the LAN) and I noticed that these errors started right
after the first kernel boot from the replacement drive (rust-based, but
should make no difference.) The errors started immediately after xinetd
started.

I am thinking that the data I recovered from that SSD was not so reliable.

I think I'm going to oneshot libtool and gcc and do an emerge -e world.
I'll then check my xinetd configs. If that doesn't work I'll have to
reformat & reinstall (which will be a pain in the ass, this machine is
also my mythtv backend!)

I went through netstat and checked & doublechecked my router and there's
no forwarding of ports related to ssh or the like. I do have on port
forwarded for rtorrent but that's it.

At this point I'm 99.99% positive it's related to my SSD "crash".

Dan

Re: [gentoo-user] pam_get_uid: no such user

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 182 bytes --]

This particular machine doesn't have ssh/xinetd or the like routed from

> outside the local LAN.
>

Unless someone made a mistake with the config somewhere. Run tcpdump to be
sure.

[-- Attachment #2: Type: text/html, Size: 426 bytes --]

Re: [gentoo-user] pam_get_uid: no such user

[Daniel Frey]

On 02/14/2013 04:15 PM, Adam Carter wrote:
> This particular machine doesn't have ssh/xinetd or the like routed from
> 
>     outside the local LAN.
> 
> 
> Unless someone made a mistake with the config somewhere. Run tcpdump to
> be sure.

I just installed tcpdump and checked. During the burst of 5 login
attempts there's no network activity. I tried both interfaces.

It must be something local on the PC that's trying to get access, at
least I know it's not a remote attack.

Dan

Re: [gentoo-user] pam_get_uid: no such user

[Daniel Frey]

On 02/14/2013 04:15 PM, Adam Carter wrote:
> This particular machine doesn't have ssh/xinetd or the like routed from
> 
>     outside the local LAN.
> 
> 
> Unless someone made a mistake with the config somewhere. Run tcpdump to
> be sure.

Well, an `emerge -1 libtool glibc gcc && emerge -e world` fixed the
problem completely. Now that I went through that I'll have to get a
proper backup!

Dan