Users registered on an Active Directory (AD), LDAP, or Kerberos server are unable to log in to the appliance using SSH after STIG is enabled.
"Permission Denied" is displayed while logging in to the appliance, even if you enter a valid username and password.
When STIG is enabled on the appliance, the Pluggable Authentication Modules (PAM) stack is modified to limit failed login attempts for local users. The modified PAM prevents the authentication of AD, LDAP, or NIS users. The STIG rule is known by xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny and CCE-27350-8.
This applies to NetBackup appliance versions until 4.0.
To allow remote users to continue using SSH after STIG is enabled perform the following steps:
2. Unconfigure and then reconfigure the authentication method.Note: After the solution is applied, the "failed login", or, 'fail lock", rule will apply to local users but not remote users.
For ActiveDirectory and Kerberos, Revoke Authorizations
1. Use command Settings/Security/Authorization/List. A table is displayed.
2. For each Principal Type whose Principal Source in the table is ActiveDirectory or Kerberos use command Settings/Security/Authorization/Revoke "Role" "Principal Type" "Name
For ActiveDirectory, Remove Authentications
1. Use command Settings/Security/Authentication/ActiveDirectory/List. A table is displayed.
2. For each Principal Type whose Principal Source in the table is ActiveDirectory use command Settings/Security/Authentication/ActiveDirectory/Users Remove “Name”.
For ActiveDirectory and Kerberos, Unconfigure Authentication Method
Unconfigure the remote authentication method. Use command Settings/Security/Authentication/<Method>/Unconfigure
Configure Authentication Method, Add Users and Grant Roles
For the authentication method that is chosen, use Settings/Security/Authentication/<Method>/Configure.
After configuring, use Settings/Security/Authentication/<Method> to restore authentication for the remote entities.
Finally, Grant roles to the remote entities.
For LDAP, the process of removing authentication can be facilitated with the Export and Import commands.
1. Use command Settings/Security/Authentication/LDAP/Export ldapusers
2. Revoke roles, Settings/Security/Authorization/Revoke
3. Unconfigure LDAP Authentication, Settings/Authentication/LDAP Unconfigure
4. Use command Settings/Security/Authentication/LDAP/Import ldapusers
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):