lists.arthurdejong.org
RSS feed

Re: Failed to login using a serial connection.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Failed to login using a serial connection.



I don't actually know what's wrong, but I do have some experience with
embedded systems and auth, so the following e-mail tries to explain
what I would do next.

I know the frustration of working "blind", because the system gives no
logs, and has no screen.



First, I'd like to know where it fails.  It seems to do 'auth' the
same, but 'session setup' is different:

You have no logs for pam_ldap.  Can you add 'debug' to the pam_ldap
line in /etc/pam.d/[ssh|login] ?  It's what I would do next.

Both ssh and serial fail the first authentication (against pam_unix),
which is expected.  Both (presumably) succeed the second authentication
with pam_ldap, but it's not logged.  I'd want confirmation.

Serial looks like it never tries to setup a session.  In other words:
password is OK, but it can never start /bin/sh on /dev/tty.



Then I'd look at other failures:

Can you run 'getent passwd eric', 'getent group eric', and the same for
sleduc?  I expect both to succeed, otherwise ssh wouldn't work.  Do you
get the same uid/gid?

I'd like to see the failures (it /is/ failing) logged.  I don't see
them logged.  I do have some 2.6.x systems left, but none have manpages
for 'getty', so I don't know how to increase logging.  'mgetty' and
'agetty' both should log failures to syslog.  'mingetty' doesn't work
on serial lines.  I assume 'getty' is a link to /bin/busybox.

If you type the password for 'eric' wrong, does 'getty' log the
failure?



Then I'd try to force run extra logs for /bin/login, by changing 'getty
-l /bin/mylogin', and writing a script to run /bin/login through strace
or a debugger to get the failure logged.

Note that this can actually break serial logins, so do it carefully.
 It's my last step simply because it can completely break stuff.

If 'getty' is actually 'busybox' this could be very verbose.



On Thu, 2015-11-12 at 16:58 -0500, Eric wrote:
> open /dev/tty failed - could not set controlling tty: Permission
> denied

This is very strange.  Is /dev read-only?  Are you sure getty doesn't
crash when trying to open /dev/tty?

Are you sure you don't want to mount /dev read-write as
tmpfs/udev/devfs?


The question of console vs. serial was asked because ppl who've never
used actual serial ports sometimes confuse them with console.


Berend
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/