Image
Authentication is required to run '/bin/bash' as the super admin.
incorrect permissions on /usr/libexec/polkit-agent-helper-1 (needs to be setuid root)
Related
Very recently I have activated the two-factor authentication on GitHub. Then after I tried to push my work (using git bash)to a new repository and it displays a error as the username or password is incorrect. How can I overcome this issue?
It's likely that you're still using your username and password stored in a credential manager for pushing to GitHub, and that won't work when you're using two-factor authentication. The Git FAQ explains how to empty your credentials (replace your-username):
$ echo url=https://your-username#github.com | git credential reject
Then, the next time you push, Git will prompt your for your credentials. Go to https://github.com/settings/tokens and create a personal access token with the repo and workflow scopes, and then give Git your username when it asks and the personal access token for your password. Don't specify your actual password, since that won't work.
On Windows, you may see a graphical prompt to sign into GitHub; you can just close that window and follow the steps above.
I installed google two factor authentication on my linux server.
(thanks to: https://github.com/google/google-authenticator-libpam)
When I try to access root account via ssh, authenticator works fine.
Verification code: .....
Password: ....
[root#hostname] works fine :)
But!! access other user account and try to access root account using su,
authenticator only require password.
[user#hostname] whoami
user
[user#hostname] su
password: .....
[root#hostname] What?!!!
I set all config to default value.
How can I fix it??
This is the default way this works. Since you are using the google-authenticator-libpam module you are only adding two factor authentication to the actual external interface login via the addition of auth required pam_google_authenticator.so to the sshd config file.
The proper security implementation (or at least one of the proper ways) is to not allow external login for the root user, going one step further and locking down ssh to only allow login from users who have two factor authentication enabled is even better.
To do that you would add the following in your sshd config :
AllowUsers admin bob
To enable Google two factor authentication for su - you have to add following parameter at the end of file /etc/pam.d/su :
auth required pam_google_authenticator.so
Save it and try login using the normal user and then su -, it will prompt for verification code.
i.e. no need to restart sshd service.
I have a private hosted registry at www.myDockerRepo.company.com:2222. To login to this repository I follow these steps
docker login www.myDockerRepo.company.com:2222
username : xxx
password : ***
email : xyz#company.com
WARNING: login credentials saved in /home/vagrant/.docker/config.json
Login Succeeded
Can these credentials be saved before hand in the config.json so that clients dont need to manually enter these credentials n every login? What is the best practice to login to private registries?
Yes, you can manually add the creds to the config. Just copy the file over from a host that you already logged in with.
As far as best practices, they depend on the setup, but most common is to use a generic system account for your registry that is only used by the hosts, and then when setting up the hosts and installing docker, drop in the config file for that system user. Then all pushes and pulls from those servers will be with that account.
If you try and reuse a user account, things will break if that user changes their password. It also allows you to have different permissions for hosts, maybe pull only access vs push, etc.
AD login is not possible after upgrading from LDAP 1.4. In the TRACE log the following error message is logged:
DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: xxxxxx
ERROR web[rails] Error from external users provider: exception Java::Com4j::ExecutionException: com4j.ComException: 8007203a Failed to MkParseDisplayName : The server is not operational. : .\com4j.cpp:217
Removing the LDAP settings from sonar.properties did not help. After downgrading to LDAP 1.4 everything works again. Did we miss some configuration setup?
LDAP plugin 1.5.1 with fix for this issue (LDAP-49 is released and available for download from SonarQube's update center.
Refer to SonarQube LDAP plugin documentation page:
LDAP 1.5.1 – Dec 02, 2015 – Compatible with SonarQube 5.2+
Bug fixes for Active Directory environments
Please go through the new changes and try the below mentioned settings.
LDAP 1.5 plugin is using Waffle to support Windows Authentication and SSO on Windows OS.
LDAP in Windows auth mode supports two ways of login from browser:
1.Single sign On
SSO will be performed on hitting any SonarQube url other than /sessions/login .
Only domain users are supported through SSO.
2.Form based login from /sessions/login page
Domain users
Login: <domain\alias> or alias#domain or alias
Password: <domain credentials>
Technical users
Login: <username>
Password: <password>
On logout, users will be presented login page ( /sessions/login),
where he can choose to login as technical user or domain user by
passing appropriate credentials.
For those users who are already using previous version of LDAP plugin to
connect to Microsoft AD and have already defined authorization in terms of those
users and group name use following settings in Windows OS:
# LDAP configuration
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.log.level=DEBUG (For debugging purpose, remove this if you don't see any issue)
ldap.windows.auth=true
-----------------------------------------------------------------------
Default protocol is NTLM which should work for most of the scenarios.
Troubleshooting NTLM
◦Enabling NTLM Logging
http://goo.gl/3LhU6E
If you want to use Kerberos "Negotiate" protocol please use the following steps.
Negotiate Authentication Steps:
For negotiate authentication to work make sure following steps are followed:
1.Browser Configuration
Waffle link: Configuring Browsers (IE/Firefox)
https://goo.gl/vcPnrk
2.Kerberos setup
Make sure that user has privilege for Kerberos delegation
setspn -L username
To add preivileges to the current user run
setspn -S HTTP/machine:port machine
example:
setspn -S HTTP/machine:9000 machine
3.The SonarQube application is running as a service(NT service)
Troubleshooting Resources
1.Useful Kerberos troubleshooting resources
◦Enabling Kerberos Logging
http://support.microsoft.com/kb/262177/en-us
◦Troubleshooting Kerberos Delegation
http://www.microsoft.com/en-us/download/confirmation.aspx?id=4754
I am able to authenticate radius users using radius server+pam+ssh with creating local user with blank password in linux.
Is it possible to authenticate radius users without creating users in local machine with blank password?
/etc/pam.d/ssh file as below
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth sufficient pam_unix.so use_first_pass
auth required pam_auth_status.so
account sufficient pam_unix.so
account required pam_auth_status.so
session required pam_unix.so
You can authenticate the user without creating an entry for him in /etc/passwd and /etc/shadow files. But now , the user is not associated with any shell in '/etc/passwd' , so it can be of no use.
Do you want to launch a shell after authentication or you want the user just to be authenticated?
I found two nss libraries that could help in this case:
libnss-mapuser from Cumulus Linux.
libnss-ato
The general process is that these will map unknown (but authenticated) user to a single user template. Each user will get his/her own /home folder though but both libs have in common that the user id will be the same.
These packages are mainly targeted at network devices where there is no ldap setup done. Cumulus describes the setup nicely.
I recommend reading https://serverfault.com/questions/538383/understand-pam-and-nss to understand what is happening there.