1. Problem description
During a certain baseline reinforcement process, front-line feedback was reported that after leaving the work station, the original root login session was disconnected when returning, and ordinary users could not switch to root. They tried to use the mobile cloud console for VNC login, but it also prompted a login failure: Report: incorrect auth
2. Processing process
1) Single-user mode login: (Rescue mode cannot handle this scenario due to incomplete files)
The bclinux8.6 (Anolis 8.6) system is used on site. When starting the single-user mode, you only need to modify the linux kernel loading menu in the first item of the grub boot menu. At the end of the line in front of initrd, directly add single and then ctrl + x to log in. Yes, you can skip login verification by entering the root password.
2) Check the reason why the root user failed to log in
Check the /var/log/secure and authpriv logs and you can see the following error:
3) Asked what changes were made before the operation, and found that the main operation was the file under /etc/pam.d/. Finally, the login file under it was locked and mainly modified, and the following content was added:
Among them, the PAM module pam_securetty.so is used to restrict root login only from the specified terminal. Combined with the /etc/securetty file to complete the restriction of logging in to the terminal, the site was officially modified based on this, resulting in the inability to log in via VNC.
4) In summary, if using it restricts root login, and vnc cannot log in to the root account, you can troubleshoot through the following steps:
- Check the /etc/securetty file to see if the restricted terminal list includes virtual terminals that vnc will use, such as vcsa, etc. If it is not included, it needs to be added.
- Check the PAM configuration file (usually in the /etc/pam.d/ directory) to ensure that login-related services such as login, sshd, etc. include the pam_securetty.so module.
- In the PAM configuration file, try setting the control flag of the pam_securetty.so module to sufficient instead of required.
- Check whether there are any restrictions in the Selinux policy. You can try to temporarily switch the Selinux mode to permissive.
- Check the system logs such as /var/log/secure to see where the root login is prohibited.
- Try updating vnc related software packages, or switch to other vnc implementations (such as x11vnc) to check whether the problem lies in the specific implementation.
- If the problem is still not solved, you can try to completely remove the pam_securetty.so module for testing.
On-site inspection shows that the /etc/securetty file is empty, so root is prohibited from logging in from any terminal. However, the baseline compliance standards must be comprehensively considered: check the module type configuration of the /etc/pam.d/login file and check the control flag configuration in the login file. Check whether auth required pam_securetty.so exists. If it exists, it is deemed to be compliant. However, VNC login of the mobile cloud terminal is not restricted. In summary, add a tty2 exemption in the /etc/securetty file and verify that the VNC login is successful. This problem is solved.
3. Appendix
3.1, Rescue Mode Review
Find the linux16 line in the Grub boot menu, modify ro to rw, delete the redundant content, and add the kernel parameter rd.break (or init=/bin/bash) at the end of the line; after completion, press ctrl + x to enter the rescue mode, as shown below:
After entering, execute:
mount -o remount,rw /sysroot chroot /sysroot #change Password passwd root touch/.autorelable exit #Exit/ reboot or init 6 #restart
3.2. Other login errors
When the line that restricts login in the /etc/pam.d/login file: auth required pam securettu.so is written incorrectly, no user will be able to log in. The error shown above will be reported. Fix the same as above and delete: auth required in the login file. pam securettu.so contains redundant content and delete the /etc/securetty file; otherwise root will not be able to log in to all terminals by default;
3.3, VNC login
VNC (Virtual Network Computing) is a virtual network service in the OpenStack project. It is also called a graphical desktop sharing system. It is based on a graphical interface and provides a graphical terminal that allows users to connect to remote servers to complete management operations. , actually transmits the terminal interface of the remote host to the current user through the network, just as the current interface is the remote host. Therefore, it is also regarded as a protocol and is called a protocol for remote access to virtual machines. Graphical interface protocol; VNC service is an instance console service in OpenStack, which allows users to access remote virtual machines through a browser/VNC client;
The main principle of VNC connection is to compress the screen image of the remote computer into an image data stream and transmit it to the local computer through the network. After the local computer receives the image data stream, it decompresses it and displays it on the local screen. At the same time, the operations of the local computer’s input devices (such as mouse and keyboard) will also be captured and transmitted to the remote computer through the network. After the remote computer receives input from the local computer, it applies it to its own system. The following is one end of the Python code to configure the OpenStack virtual machine VNC:
import openstack
# Create a connection to the OpenStack API
conn = openstack.connect(cloud='openstack')
# Get the virtual machine by its ID
vm = conn.compute.find_server('vm_id')
# Define the VNC settings
vnc_settings = {<!-- -->
'vnc_ip': '192.168.1.100',
'vnc_port': 5900,
'vnc_password': 'password123'
}
# Update the virtual machine's metadata with the VNC settings
conn.compute.set_server_metadata(vm, **vnc_settings)
In Linux, VNC includes the following four commands: vncserver, vncviewer, vncpasswd, and vncconnect. VNC is basically composed of two parts: one is the client application (vncviewer); the other is the server-side application (vncserver). The basic operating principle of VNC is similar to some remote control software under Windows.
1. vncserver: This service program must be running on the main (or remote control) computer. You can only use this service as a user (no root user identity is required).
2. vncviewer: A local application used to remotely access the computer running vncserver and display its environment. You need to know the IP address of the remote computer and the password set by vncserver.
3. vncpasswd: Password setting tool for vncserver. The vncserver service program will not be able to run without setting a password (good practice). If you do not set it, vncserver will prompt you to enter a password when you run it. So, generally I wouldn’t run this command alone to set a password.
4. vncconnect: Tell vncserver to connect to the IP and port number of a remote computer running vncviewer. This way I avoid giving other people a password to access.
5. Xvnc: A vnc “master” program that generally does not need to be run directly. (vncserver and vncviewer are actually Xvnc scripts)
The communication process of VNC connection is mainly divided into the following steps:
1. Establish a connection: When the user enters the IP address and port number of the remote computer in the VNC client, the VNC client will request to establish a connection with the remote computer. The VNC server running on the remote computer will listen to the specified port and wait for the client’s connection request.
2. Authentication process: After establishing the connection, the remote computer will ask the client for identity authentication. This is to ensure that only authorized users can remotely access the remote computer. The client needs to provide correct authentication credentials (such as password) to pass the authentication process.
3. Image transmission |: After the authentication is passed, the VNC server will start to capture the screen image of the remote computer and compress it into an image data stream. The VNC server then transmits the image data stream over the network to the VNC client. After the VNC client receives the image data stream, it decompresses it and displays it on the local computer’s screen.
4. Input transmission: At the same time, the VNC client will also capture the input device operations of the local computer, such as mouse movements and keyboard input. The VNC client transmits the captured input operations to the VNC server through the network. After the VNC server receives input from the local computer, it applies it to the remote computer’s system.
In OpenStack projects, we usually access Horizon (OpenStack Web interface) and select the corresponding project and instance. On the instance details page, click the “Console” tab. Select “VNC Console” and then click “Launch Console” to log in to the controlled node/virtual machine instance of OpenStack. If you want to turn off the VNC function, you can edit the Nova configuration file: /etc/nova/nova.conf, and then restart the Nova service; the configuration is as follows:
[DEFAULT] vnc_enabled = False #Change to false #restart service nova-compute restart service nova-consoleauth restart service nova-novncproxy restart