WAAS-UNKNOWN-1-899999: ### pam_unix: _unix_verify_password check pass; user

Unanswered Question
Jun 3rd, 2008

get the above message about 5 times a day on one of my WAE-612s

I had the messages on release 4.0.13 and still get them on 4.0.17

what is causing this message, I tried to login to the WAAS box by using the incorrect username password but that did not generate this message

anybody any ideas??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Bradfield Tue, 06/03/2008 - 15:04

sorry, you do get the above message with an incorrect login, so i have got to see who is trying to login

dstolt Tue, 06/03/2008 - 16:58

Richard,

You are correct, it occurs when somone attempts to access the box with an incorrect ID or pw. I've seen it a lot in logs with these messages when somone wrote a script with the incorrect ID/PW.

I think if you go into the syslog.txt on the actual WAE that is getting the message (I assume you are seeing this on the CM?), you may be able to see the UID of the user attempting to log in. Something like the following...

Apr 18 17:58:35 wae1 PAM_unix[20635]: %WAAS-UNKNOWN-1-899999: ###

pam_unix: _unix_verify_password check pass; user unknown

Apr 18 17:58:35 wae1 PAM_unix[20635]: %WAAS-UNKNOWN-5-899999: ###

pam_unix: _unix_verify_password authentication failure; (uid=0) -> pchandho

Apr 18 17:58:45 wae1 PAM_unix[20913]: %WAAS-UNKNOWN-5-899999: ###

pam_unix: _unix_verify_password authentication failure; (uid=0) -> admin

Dan

Richard Bradfield Tue, 06/03/2008 - 21:26

Dan,

it does seem more complex than that, I put an ACL on the router WAAS interface and picked up nothing

but still getting messages,

looks like it might have something to do with "Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 23755 "

as started about same time as error occured

see below

Jun 4 04:42:07 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 32356

Jun 4 04:46:15 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330027: Process with pid 32356

exits

Jun 4 04:46:15 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330048: DEBUG: respawn_count =

8, period: 1528.730000

Jun 4 04:46:15 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 2574

Jun 4 14:46:19 SHAWAD01 PAM_unix[2574]: %WAAS-UNKNOWN-3-899999: ### pam_unix: p

am_sm_authenticate bad username [% Authentication failed]

Jun 4 14:46:19 SHAWAD01 login[2574]: %WAAS-UTILLIN-5-801060: Failed login sessi

on from (null) for user % Authentication failed: User not known to the underlyin

g authentication module

Jun 4 04:46:20 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330027: Process with pid 2574

exits

Jun 4 04:46:20 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330024: Service 'mingetty' exi

ted normally with code 1

Jun 4 04:46:20 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330032: Stopping service: 'min

getty'.

Jun 4 04:46:20 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330048: DEBUG: respawn_count =

9, period: 1534.040000

Jun 4 04:46:21 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 2837

Jun 4 05:15:31 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330027: Process with pid 2837

exits

Jun 4 05:15:31 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330048: DEBUG: respawn_count =

10, period: 3284.710000

Jun 4 05:15:31 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 23462

Jun 4 15:15:35 SHAWAD01 PAM_unix[23462]: %WAAS-UNKNOWN-3-899999: ### pam_unix:

pam_sm_authenticate bad username [% Authentication failed]

Jun 4 15:15:35 SHAWAD01 login[23462]: %WAAS-UTILLIN-5-801060: Failed login sess

ion from (null) for user % Authentication failed: User not known to the underlyi

ng authentication module

Jun 4 05:15:36 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330027: Process with pid 23462

exits

Jun 4 05:15:36 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330024: Service 'mingetty' exi

ted normally with code 1

Jun 4 05:15:36 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330032: Stopping service: 'min

getty'.

Jun 4 05:15:36 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330048: DEBUG: respawn_count =

0, period: 0.010000

Jun 4 05:15:37 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 23469

Jun 4 15:15:41 SHAWAD01 PAM_unix[23469]: %WAAS-UNKNOWN-1-899999: ### pam_unix:

_unix_verify_password check pass; user unknown

Jun 4 15:15:41 SHAWAD01 PAM_unix[23469]: %WAAS-UNKNOWN-5-899999: ### pam_unix:

_unix_verify_password authentication failure; LOGIN(uid=0) -> Jun 4 15:15:3

Jun 4 15:15:43 SHAWAD01 login[23469]: %WAAS-UTILLIN-5-801060: Failed login sess

ion from (null) for user Jun 4 15:15:3: Authentication service cannot retrieve

authentication info.

Jun 4 05:15:44 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330027: Process with pid 23469

exits

Jun 4 05:15:44 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330048: DEBUG: respawn_count =

1, period: 8.110000

Jun 4 05:15:45 SHAWAD01 Nodemgr: %WAAS-NODEMGR-5-330040: Start service 'mingett

y' using: '/ruby/bin/startmingetty.sh' with pid: 23755

Jun 4 15:16:51 SHAWAD01 login: %WAAS-SYSUTL-5-800003: you2are login on 0 from 1

72.16.197.254

dstolt Wed, 06/04/2008 - 04:47

Richard,

By any chance is there a console server attached to the console port on the WAE?

Dan

Richard Bradfield Wed, 06/04/2008 - 15:23

Dan,

No there is nothing connected to the console port. I have 20 WAE- 612s around Australia, and Asia , this one in Shanghai is the only one giving this problem

dstolt Thu, 06/05/2008 - 06:59

How is your AAA setup? Do you use the Admin and other local accounts ID or do you have tacacs or something else setup as well?

Dan

muali Fri, 06/06/2008 - 10:31

These are likely from failed login attempts, do you have some script running or scanning going on. Look for a pattern in time stamp.

If you are using TACACS for AAA, make sure your server is accessible from the WAE.

Richard Bradfield Fri, 06/06/2008 - 15:39

it is not a failed login attempt, see prevoius messages. It seems to be associated with the "mingetty" service see attached log

Everytime this service starts i get the message, why is this service starting, looking through logs from other WAAS boxes i do not see this service starting

dstolt Fri, 06/06/2008 - 18:32

Richard,

I'm not sure this will help anything either... Can you check if the WAE is running debug? I see some debug messages in the log... Maybe from a past TAC case or something? Try "sh debug" and see if there is anything running. Maybe try "undebug all" at the exec mode if so.

Dan

Richard Bradfield Fri, 06/06/2008 - 18:54

no no debugs, been reloaded OS upgraded.

I am not a Linux person but it looks like something to do with the mingetty service and perhaps something in the Linux kernal

Actions

This Discussion