Problem
Users registered on an Active Directory (AD), LDAP, or Kerberos server are unable to log in to the appliance using SSH after STIG is enabled.
Error Message
"Permission Denied" is displayed while logging in to the appliance, even if you enter a valid username and password.
Cause
When STIG is enabled on the appliance, the Pluggable Authentication Modules (PAM) stack is modified to limit failed login attempts for local users. The modified PAM prevents the authentication of AD, LDAP, or NIS users. The STIG rule is known by xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny and CCE-27350-8.
This applies to NetBackup appliance versions until 4.0.
Solution
To allow remote users to continue using SSH after STIG is enabled perform the following steps:
1. Revoke all authorization granted to entities under the authentication method.
2. Unconfigure and then reconfigure the authentication method.
Note: After the solution is applied, the "failed login", or, 'fail lock", rule will apply to local users but not remote users.
For ActiveDirectory and Kerberos, Revoke Authorizations
1. Use command Settings/Security/Authorization/List. A table is displayed.
2. For each Principal Type whose Principal Source in the table is ActiveDirectory or Kerberos use command Settings/Security/Authorization/Revoke "Role" "Principal Type" "Name
For ActiveDirectory, Remove Authentications
1. Use command Settings/Security/Authentication/ActiveDirectory/List. A table is displayed.
2. For each Principal Type whose Principal Source in the table is ActiveDirectory use command Settings/Security/Authentication/ActiveDirectory/Users Remove “Name”.
For ActiveDirectory and Kerberos, Unconfigure Authentication Method
Unconfigure the remote authentication method. Use command Settings/Security/Authentication/<Method>/Unconfigure
Configure Authentication Method, Add Users and Grant Roles
For the authentication method that is chosen, use Settings/Security/Authentication/<Method>/Configure.
After configuring, use Settings/Security/Authentication/<Method> to restore authentication for the remote entities.
Finally, Grant roles to the remote entities.
LDAP
For LDAP, the process of removing authentication can be facilitated with the Export and Import commands.
1. Use command Settings/Security/Authentication/LDAP/Export ldapusers
2. Revoke roles, Settings/Security/Authorization/Revoke
3. Unconfigure LDAP Authentication, Settings/Authentication/LDAP Unconfigure
4. Use command Settings/Security/Authentication/LDAP/Import ldapusers
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.