Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved]: su gives me root with wrong or empty password
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Sat Oct 05, 2013 2:20 am    Post subject: [solved]: su gives me root with wrong or empty password Reply with quote

I typed su today, then CTRL+C, because I did not mean to. It dropped me to a root prompt. I exited, typed su, then typed some random garbage and it gave me the root prompt. I Google'd, but I cannot formulate this in a way that produces anything relevant. I assume I must have something messed up in PAM. I have LDAP authentication for all logins and Google Authenticator on SSH sessions. root should not be an LDAP account, but it does hit me that I did not ensure that no root object was in LDAP. Maybe one made it and it has no password or something is messed up there and giving the OK to every login.

I just tried to test that last thought. I su'd to another account, typed garbage and it let me right in. An account with wheel access still cannot get elevated to root, but I can log in to a console without typing my correct password. Thankfully I have 2FA on SSH, but I am at a loss what I am missing here. I will go digging in PAM, but if you have any thoughts, I would really appreciate them.

Thank you in advance.


Last edited by jgruen on Mon Oct 14, 2013 1:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8940

PostPosted: Sat Oct 05, 2013 2:24 pm    Post subject: Reply with quote

Since you suspect PAM, please post the output of cat -n pam-configuration-file for all relevant PAM files. We can review them against a machine which does not exhibit this behaviour. You may also find it useful to use equery check to identify any PAM files that are different from what Gentoo installs by default.
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Fri Oct 11, 2013 4:16 am    Post subject: Reply with quote

Thank you for the response and sorry for the delay in getting back. (Fixed my attempts at pasting. I might have been tired enough to pasted the same thing 3 times.)

system-auth:
Code:
     1  auth            required        pam_env.so
     2  auth            sufficient      pam_ldap.so use_first_pass
     3  auth            sufficient      pam_unix.so try_first_pass likeauth nullok
     4  auth            optional        pam_permit.so
     5   
     6  account         sufficient      pam_ldap.so
     7  account         required        pam_unix.so
     8  account         optional        pam_permit.so
     9   
    10  password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
    11  password        sufficient      pam_ldap.so use_authtok use_first_pass
    12  password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
    13  password        optional        pam_permit.so
    14   
    15  session         required        pam_limits.so
    16  session         required        pam_env.so
    17  session         required        pam_unix.so
    18  session         optional        pam_permit.so
    19  session         optional        pam_ldap.so


system-login:
Code:
     1  auth            required        pam_tally2.so onerr=succeed
     2  auth            required        pam_shells.so
     3  auth            required        pam_nologin.so
     4  auth            include         system-auth
     5   
     6  account         required        pam_access.so
     7  account         required        pam_nologin.so
     8  account         include         system-auth
     9  account         required        pam_tally2.so onerr=succeed
    10   
    11  password        include         system-auth
    12   
    13  session         optional        pam_loginuid.so
    14  session         required        pam_env.so
    15  session         optional        pam_lastlog.so
    16  session         include         system-auth
    17  session         optional        pam_ck_connector.so nox11
    18  session         optional        pam_motd.so motd=/etc/motd
    19  session         optional        pam_mail.so
    20   


sshd
Code:
     1  auth       required     pam_google_authenticator.so
     2
     3  auth       include      system-remote-login
     4  account    include      system-remote-login
     5  password   include      system-remote-login
     6  session    include      system-remote-login


I am guessing there may be an issue in the system-auth, as everything ends up there. Though I cannot rule out system-login. Those files have not changed for over a year and I do not think this was an issue a month ago. I add radiusd at the beginning of September, but it was for a firewall and not being used for authentication on the server, so it did not change the system pam files:
Code:

-rw-r--r--   1 root root   328 Sep  2 12:08 radiusd
-rw-r--r--   1 root root   160 Apr 30 23:21 saslauthd
-rw-r--r--   1 root root    77 Aug  8  2012 screen
-rw-r--r--   1 root root   152 May 12 21:17 shadow
-rw-r--r--   1 root root   109 May  9 08:46 sieve
-rw-r--r--   1 root root   106 May  9 08:45 smtp
-rw-r--r--   1 root root   203 Jun 26 11:14 sshd
-rw-r--r--   1 root root    63 Mar 23  2013 start-stop-daemon
-rw-r--r--   1 root root  1059 May 12 21:17 su
-rw-r--r--   1 root root   671 Aug 12  2012 system-auth
-rw-r--r--   1 root root   121 Aug  7  2012 system-local-login
-rw-r--r--   1 root root   579 Aug  7  2012 system-login
-rw-r--r--   1 root root   121 Aug  7  2012 system-remote-login
-rw-r--r--   1 root root   235 Aug  7  2012 system-services


equery check sys-libs/*
Code:
* Checking sys-libs/cracklib-2.8.19 ...
   36 out of 36 files passed
* Checking sys-libs/db-4.8.30 ...
   43 out of 43 files passed
* Checking sys-libs/e2fsprogs-libs-1.42.7 ...
   35 out of 35 files passed
* Checking sys-libs/gdbm-1.8.3-r4 ...
   28 out of 28 files passed
* Checking sys-libs/glibc-2.15-r3 ...
!!! /etc/locale.gen has incorrect MD5sum
!!! /etc/nsswitch.conf has incorrect MD5sum
   1799 out of 1801 files passed
* Checking sys-libs/gpm-1.20.6 ...
!!! /etc/conf.d/gpm has wrong mtime (is 1367854406, should be 1340325382)
   54 out of 55 files passed
* Checking sys-libs/libavc1394-0.5.4 ...
   32 out of 32 files passed
* Checking sys-libs/libcap-2.22 ...
   60 out of 60 files passed
* Checking sys-libs/libcap-ng-0.6.6 ...
   56 out of 56 files passed
* Checking sys-libs/libieee1284-0.2.11-r2 ...
   68 out of 68 files passed
* Checking sys-libs/libraw1394-2.0.8 ...
   30 out of 30 files passed
* Checking sys-libs/libseccomp-1.0.1 ...
   33 out of 33 files passed
* Checking sys-libs/libutempter-1.1.5 ...
   17 out of 17 files passed
* Checking sys-libs/mtdev-1.1.3 ...
   18 out of 18 files passed
* Checking sys-libs/ncurses-5.9-r2 ...
   3675 out of 3675 files passed
* Checking sys-libs/pam-1.1.6-r2 ...
   355 out of 355 files passed
* Checking sys-libs/readline-6.2_p1 ...
   61 out of 61 files passed
* Checking sys-libs/timezone-data-2013b ...
   1845 out of 1845 files passed
* Checking sys-libs/zlib-1.2.7 ...
   38 out of 38 files passed


Since it brought up nsswitch.conf:
Code:
     1  #ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $
     2  #
     3  # An example file that could be copied over to /etc/nsswitch.conf; it
     4  # uses LDAP conjunction with files.
     5  #
     6  # "hosts:" and "services:" in this file are used only if the
     7  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
     8
     9  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
    10  passwd:         files ldap
    11  group:          files ldap
    12
    13  # consult files/dns first, we will need it to resolve the LDAP host. (If we
    14  # can't resolve it, we're in infinite recursion, because libldap calls
    15  # gethostbyname(). Careful!)
    16  hosts:          files dns #ldap
    17
    18  # LDAP is nominally authoritative for the following maps.
    19  services:   files
    20  networks:   files
    21  protocols:  files
    22  rpc:        files
    23  ethers:     files
    24
    25  # no support for netmasks, bootparams, publickey yet.
    26  netmasks:   files
    27  bootparams: files
    28  publickey:  files
    29  automount:  files
    30
    31  # I'm pretty sure nsswitch.conf is consulted directly by sendmail,
    32  # here, so we can't do much here. Instead, use bbense's LDAP
    33  # rules ofr sendmail.
    34  aliases:    files
    35  sendmailvars:   files
    36
    37  # Note: there is no support for netgroups on Solaris (yet)
    38  netgroup:   files
 


Hopefully someone spots something. Despite my delay in getting back, this is bothering me a lot and if not for a mountain of other issues, I would be on it.

Thank you again and I much appreciate any thought on this issue.
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Fri Oct 11, 2013 4:29 am    Post subject: Reply with quote

I do not know if this helps, but here is the messages I get when I do an su and press enter:
Code:
Oct 10 23:21:49 [su] pam_unix(su:auth): authentication failure; logname=xxmy_userxx uid=1001 euid=0 tty=/dev/pts/1 ruser=xxmy_userxx rhost=  user=root
Oct 10 23:21:49 [su] Successful su for root by xxmy_userxx
Oct 10 23:21:49 [su] + /dev/pts/1 xxmy_userxx:root
Oct 10 23:21:49 [su] pam_unix(su:session): session opened for user root by xxmy_userxx(uid=1001)


I do not think it is an su problem, as I can log in to a bash console, Display Manager and SSH (providing my correct Auth Token) without using any password.

Here is a login at tty2:
Code:
Oct 10 23:26:43 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=xxmy_userxx
Oct 10 23:26:43 [login] pam_unix(login:session): session opened for user xxmy_userxx by LOGIN(uid=0)
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Fri Oct 11, 2013 5:44 am    Post subject: Reply with quote

You should have a /etc/pam.d/su file - here's an example:

Code:
#%PAM-1.0
auth        sufficient  pam_rootok.so

# http://forums.gentoo.org/viewtopic-p-7112394.html#7112394
# Uncomment the following line to implicitly trust users in the "wheel" group
auth        sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group
auth        required    pam_wheel.so use_uid

auth        include     system-auth
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     optional    pam_xauth.so
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Fri Oct 11, 2013 1:39 pm    Post subject: Reply with quote

It is not limited to su, though that is where I first discovered the issue and therefore named this post.

Here is my /etc/pam.d/su:
Code:
     1  #%PAM-1.0
     2
     3  auth       sufficient   pam_rootok.so
     4
     5  # If you want to restrict users begin allowed to su even more,
     6  # create /etc/security/suauth.allow (or to that matter) that is only
     7  # writable by root, and add users that are allowed to su to that
     8  # file, one per line.
     9  #auth       required     pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow
    10
    11  # Uncomment this to allow users in the wheel group to su without
    12  # entering a passwd.
    13  #auth       sufficient   pam_wheel.so use_uid trust
    14
    15  # Alternatively to above, you can implement a list of users that do
    16  # not need to supply a passwd with a list.
    17  #auth       sufficient   pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass
    18
    19  # Comment this to allow any user, even those not in the 'wheel'
    20  # group to su
    21  auth       required     pam_wheel.so use_uid
    22
    23  auth       include              system-auth
    24
    25  account    include              system-auth
    26
    27  password   include              system-auth
    28
    29  session    include              system-auth
    30  session    required     pam_env.so
    31  session    optional             pam_xauth.so
    32


Here is me logging in via SSH. It did not like my 2FA token the first time and rejected me, the 2nd attempt, it let me in. Both times my password was incorrect.
Code:
Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Version;Remote: 192.168.xx.xx-65469;Protocol: 2.0;Client: PuTTY_Release_0.60
Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Kex;Remote: 192.168.xx.xx-65469;Enc: aes256-ctr;MAC: hmac-sha1;Comp: none [preauth]
Oct 11 08:23:14 [sshd] SSH: Server;Ltype: Authname;Remote: 192.168.xx.xx-65469;Name: xxmy_userxx [preauth]
Oct 11 08:23:22 [sshd(pam_google_authenticator)] Invalid verification code
Oct 11 08:23:24 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx  user=xxmy_userxx
Oct 11 08:23:26 [sshd] error: PAM: Cannot make/remove an entry for the specified session for xxmy_userxx from 192.168.xx.xx
Oct 11 08:23:48 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx  user=xxmy_userxx
Oct 11 08:23:48 [sshd] Accepted keyboard-interactive/pam for xxmy_userxx from 192.168.xx.xx port 65469 ssh2
Oct 11 08:23:48 [sshd] pam_unix(sshd:session): session opened for user xxmy_userxx by (uid=0)


Is there some more debugging I can turn on? I am going to research that, as I have time. Not sure I have a good direction to go here, but that might turn up something. Thank you.
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Fri Oct 11, 2013 6:40 pm    Post subject: Reply with quote

In trying to troubleshoot this further, even SASL authenticating against the LDAP tree authenticates successfully with the wrong password. I did, since my last post, upgrade OpenLDAP, as it is segfaulting whenever I try to delete or change information. At least with the latest PHPLDAPAdmin or ldapdelete. It still segfaults after the update.
Code:
[577421.967659] slapd[20590]: segfault at 7fb42aee25a7 ip 00007fb32a414362 sp 00007fb30ee94520 error 6 in libdb-4.8.so[7fb32a2c5000+190000]


That is probably a different issue and different ticket. But it does seem that at the LDAP layer, authentication is working properly. If I type in the wrong password, it gives me "Invalid Credentials (49)". So despite the OpenLDAP issues, it seems to be an issue with SASL and PAM. Seems unlikely to be both. I am just not sure what is the common piece, other than they both authenticate against LDAP.

I am learning a lot about PAM in the process. I never really paid it much attention, but it now strikes me that it is one more place I can really lock down the authentication on my box... Once I get it so it does not authenticate every password.
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Fri Oct 11, 2013 9:32 pm    Post subject: Possibly Solved Reply with quote

I upgraded sys-libs/pambase and replaced most, but not all, of my pam scripts. I also remerged sys-libs/pam and upgraded sys-apps/shadow. The issue seems to be resolved. All the authentication that I have tested so far seems to be working. I am going to leave this out for a day and try and thoroughly test all scenarios and then I will mark it solved. In case it was the system-auth file, here is the new one:
Code:
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so

account         required        pam_unix.so
account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocre$
password        required        pam_unix.so try_first_pass use_authtok nullok s$
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8940

PostPosted: Fri Oct 11, 2013 9:46 pm    Post subject: Reply with quote

Your working configuration is missing pam_ldap.so. Given your other comments about OpenLDAP problems, perhaps it was improperly returning success in some error case.
Back to top
View user's profile Send private message
jgruen
n00b
n00b


Joined: 06 Sep 2005
Posts: 23

PostPosted: Sat Oct 12, 2013 10:23 pm    Post subject: Reply with quote

I learned in my research, that with NSS setup for LDAP and 'getent shadow' returning all of the LDAP users, I really do not need to tie PAM to LDAP. I do wonder if there is a version mismatch and that something might be generating an error, but on error, it is giving a success message. I am going to rebuild sys-auth/pam_ldap, as it has not been reinstalled since 8/11/2012, and test it, just because I am curious. I am not sure when I will get to it. I had hoped today, but the day is already too packed.

Everything does seem to be working as it should. Thank you for all of your thoughts on the matter.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum