Agent Service Interface authentication fails
Albook 120000625S Visits (3490)
Even if it is rarely considered by end-users, Agent Service Interface (ASI) can be useful if you want to have information about agent itself,
When you access ASI, it asks to provide username + password, that are validated by the underlying OS security interface.
For a case I recently investigated, despite the user/password pair was correct, authentication was failing.
"Failed Agent server authentication, status 2085388311"
After having set traces like:
KBB_RAS1=ERROR (UNIT:kraasi ALL) (UNIT:kbb ALL)
the log file also showed this status code for the authentication failure:
The three possible status that are returned by the module are:
So in our case the authentication was failing for an exception.
[3365395.270577] kbbacf1: segfault at 0 ip 0000000055820c6f sp 00000000fff8e79c error 4 in libc
And core files were also created by the kbbacf1.
So we focused on the permission denied received when accessing /etc/shadow file.
By default, kbbacf1 file is set to have root owner and suid bit set.
The "permission denied" we observed in our case was related to wrong permission bits and owner associated to kbbacf1 file.
This is an acceptable configuration if you want to reduce the risk of privilege escalation in your server, as per:
but in this case you cannot use ASI.
If you need to access ASI, the kbbacf1 must have the following permission bits and owner:
-rwsrwxr-x 1 root mqm 6566 Nov 5 2015 kbbacf1
So you may need to:
1) change the owner back to root for file kbbacf1
Hope it helps
Subscribe and follow us for all the latest information directly on your social feeds: