Remote users cannot login after enabling STIG

Remote users cannot login after enabling STIG

Article: 100048258
Last Published: 2021-04-28
Ratings: 0 0
Product(s): Appliances


Users registered on an Active Directory (AD), LDAP, or Kerberos server are unable to log in to the appliance using SSH after STIG is enabled.

Error Message

"Permission Denied" is displayed while logging in to the appliance, even if you enter a valid username and password.


When STIG is enabled on the appliance, the Pluggable Authentication Modules (PAM) stack is modified to limit failed login attempts for local users. The modified PAM prevents the authentication of AD, LDAP, or NIS users. The STIG rule is known by xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny and CCE-27350-8.

This applies to NetBackup appliance versions until 4.0.


To allow remote users to continue using SSH after STIG is enabled perform the following steps:

1.     Revoke all authorization granted to entities under the authentication method.

2.     Unconfigure and then reconfigure the authentication method.

Note: After the solution is applied, the "failed login", or, 'fail lock", rule will apply to local users but not remote users.


For ActiveDirectory and Kerberos, Revoke Authorizations

1.    Use command Settings/Security/Authorization/List. A table is displayed.

2.   For each Principal Type whose Principal Source in the table is ActiveDirectory or Kerberos use command Settings/Security/Authorization/Revoke "Role" "Principal Type" "Name

For ActiveDirectory, Remove Authentications

1.     Use command Settings/Security/Authentication/ActiveDirectory/List.  A table is displayed.

2.     For each Principal Type whose Principal Source in the table is ActiveDirectory use command Settings/Security/Authentication/ActiveDirectory/Users Remove “Name”.

For ActiveDirectory and Kerberos, Unconfigure Authentication Method

Unconfigure the remote authentication method. Use command Settings/Security/Authentication/<Method>/Unconfigure

Configure Authentication Method, Add Users and Grant Roles

For the authentication method that is chosen, use Settings/Security/Authentication/<Method>/Configure.

After configuring, use Settings/Security/Authentication/<Method> to restore authentication for the remote entities.

Finally, Grant roles to the remote entities.


For LDAP, the process of removing authentication can be facilitated with the Export and Import commands.

1.     Use command Settings/Security/Authentication/LDAP/Export ldapusers

2.     Revoke roles, Settings/Security/Authorization/Revoke

3.     Unconfigure LDAP Authentication, Settings/Authentication/LDAP Unconfigure

4.     Use command Settings/Security/Authentication/LDAP/Import ldapusers

Was this content helpful?