1

We are in an environment where kerberos authentication is being enforced by our security team. We are deploying RHEL 7.4.

In the event of authentication servers being unreachable (preventing ssh login into our RHEL boxes), we need to be able to use a breakglass account through out of band management to log in via HP Ilo text console. We can log into iLO successfully via SSH, and then issue the textcons command to open a linux text console.

However, we recently discovered that our breakglass account cannot be used when the authentication servers are down. You are presented with the console login, we punch in the username and password, and it just sits there. My guess is there is some timeout while it waits for authentication servers that will never respond.

I have a sneaky suspicion that this is related to pam configurations, however I'm not sure what pam configuration would be leveraged by a virtual text console from out of band management. The only clearly identifiable services in /etc/pam.d are login and sshd. Since it's supposed to be a virtual text console, I don't think that it's sshd, which would lead me to the login service, but I need to be sure so I don't start hacking away at the wrong file.

Matthew
  • 2,737
  • 8
  • 35
  • 51
  • This doesn't make a lot of sense the way it's written. Are you sure you're trying to log in to the iLO? Part of your question is written as if you're trying to log in to the installed OS through the iLO's virtual serial port, and not the iLO itself. Can you clarify exactly what you are trying to do? – Michael Hampton Nov 02 '18 at 14:11
  • I tried to be as clear as possible, guess I failed! You can SSH into iLO, and then run the TEXTCONS command to open a text console into the server. Doing so drops you into the linux login prompt. At this point you try to log in using the local linux breakglass user, you get a password prompt, and then it times out. The issue isn't logging into iLO, the issue is logging into the OS via iLO text console. I added some edits to help clarify. – Matthew Nov 02 '18 at 14:37
  • OK, so this really has nothing to do with the iLO at all. It would be best to include your Linux distribution, how you configured it to join the realm, etc. – Michael Hampton Nov 02 '18 at 14:46
  • Well, it does actually have to do with iLO, since iLO TEXTCONS is connecting into the OS SOMEHOW. I'm not sure if it's /dev/tty, /dev/stty, etc. That would determine which PAM files need to be modified. – Matthew Nov 02 '18 at 15:18
  • OK, but that's a very minor part of it. The rest is much more important. – Michael Hampton Nov 02 '18 at 15:24

0 Answers0