| View previous topic :: View next topic |
| Author |
Message |
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
 Posted: Sat Oct 05, 2013 2:20 am Post subject: [solved]: su gives me root with wrong or empty password |
 |
|
I typed su today, then CTRL+C, because I did not mean to. It dropped me to a root prompt. I exited, typed su, then typed some random garbage and it gave me the root prompt. I Google'd, but I cannot formulate this in a way that produces anything relevant. I assume I must have something messed up in PAM. I have LDAP authentication for all logins and Google Authenticator on SSH sessions. root should not be an LDAP account, but it does hit me that I did not ensure that no root object was in LDAP. Maybe one made it and it has no password or something is messed up there and giving the OK to every login.
I just tried to test that last thought. I su'd to another account, typed garbage and it let me right in. An account with wheel access still cannot get elevated to root, but I can log in to a console without typing my correct password. Thankfully I have 2FA on SSH, but I am at a loss what I am missing here. I will go digging in PAM, but if you have any thoughts, I would really appreciate them.
Thank you in advance.
Last edited by jgruen on Mon Oct 14, 2013 1:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Sat Oct 05, 2013 2:24 pm Post subject: |
|
|
| Since you suspect PAM, please post the output of cat -n pam-configuration-file for all relevant PAM files. We can review them against a machine which does not exhibit this behaviour. You may also find it useful to use equery check to identify any PAM files that are different from what Gentoo installs by default. |
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Fri Oct 11, 2013 4:16 am Post subject: |
|
|
Thank you for the response and sorry for the delay in getting back. (Fixed my attempts at pasting. I might have been tired enough to pasted the same thing 3 times.)
system-auth:
| Code: | 1 auth required pam_env.so
2 auth sufficient pam_ldap.so use_first_pass
3 auth sufficient pam_unix.so try_first_pass likeauth nullok
4 auth optional pam_permit.so
5
6 account sufficient pam_ldap.so
7 account required pam_unix.so
8 account optional pam_permit.so
9
10 password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
11 password sufficient pam_ldap.so use_authtok use_first_pass
12 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
13 password optional pam_permit.so
14
15 session required pam_limits.so
16 session required pam_env.so
17 session required pam_unix.so
18 session optional pam_permit.so
19 session optional pam_ldap.so
|
system-login:
| Code: | 1 auth required pam_tally2.so onerr=succeed
2 auth required pam_shells.so
3 auth required pam_nologin.so
4 auth include system-auth
5
6 account required pam_access.so
7 account required pam_nologin.so
8 account include system-auth
9 account required pam_tally2.so onerr=succeed
10
11 password include system-auth
12
13 session optional pam_loginuid.so
14 session required pam_env.so
15 session optional pam_lastlog.so
16 session include system-auth
17 session optional pam_ck_connector.so nox11
18 session optional pam_motd.so motd=/etc/motd
19 session optional pam_mail.so
20
|
sshd
| Code: | 1 auth required pam_google_authenticator.so
2
3 auth include system-remote-login
4 account include system-remote-login
5 password include system-remote-login
6 session include system-remote-login
|
I am guessing there may be an issue in the system-auth, as everything ends up there. Though I cannot rule out system-login. Those files have not changed for over a year and I do not think this was an issue a month ago. I add radiusd at the beginning of September, but it was for a firewall and not being used for authentication on the server, so it did not change the system pam files:
| Code: |
-rw-r--r-- 1 root root 328 Sep 2 12:08 radiusd
-rw-r--r-- 1 root root 160 Apr 30 23:21 saslauthd
-rw-r--r-- 1 root root 77 Aug 8 2012 screen
-rw-r--r-- 1 root root 152 May 12 21:17 shadow
-rw-r--r-- 1 root root 109 May 9 08:46 sieve
-rw-r--r-- 1 root root 106 May 9 08:45 smtp
-rw-r--r-- 1 root root 203 Jun 26 11:14 sshd
-rw-r--r-- 1 root root 63 Mar 23 2013 start-stop-daemon
-rw-r--r-- 1 root root 1059 May 12 21:17 su
-rw-r--r-- 1 root root 671 Aug 12 2012 system-auth
-rw-r--r-- 1 root root 121 Aug 7 2012 system-local-login
-rw-r--r-- 1 root root 579 Aug 7 2012 system-login
-rw-r--r-- 1 root root 121 Aug 7 2012 system-remote-login
-rw-r--r-- 1 root root 235 Aug 7 2012 system-services
|
equery check sys-libs/*
| Code: | * Checking sys-libs/cracklib-2.8.19 ...
36 out of 36 files passed
* Checking sys-libs/db-4.8.30 ...
43 out of 43 files passed
* Checking sys-libs/e2fsprogs-libs-1.42.7 ...
35 out of 35 files passed
* Checking sys-libs/gdbm-1.8.3-r4 ...
28 out of 28 files passed
* Checking sys-libs/glibc-2.15-r3 ...
!!! /etc/locale.gen has incorrect MD5sum
!!! /etc/nsswitch.conf has incorrect MD5sum
1799 out of 1801 files passed
* Checking sys-libs/gpm-1.20.6 ...
!!! /etc/conf.d/gpm has wrong mtime (is 1367854406, should be 1340325382)
54 out of 55 files passed
* Checking sys-libs/libavc1394-0.5.4 ...
32 out of 32 files passed
* Checking sys-libs/libcap-2.22 ...
60 out of 60 files passed
* Checking sys-libs/libcap-ng-0.6.6 ...
56 out of 56 files passed
* Checking sys-libs/libieee1284-0.2.11-r2 ...
68 out of 68 files passed
* Checking sys-libs/libraw1394-2.0.8 ...
30 out of 30 files passed
* Checking sys-libs/libseccomp-1.0.1 ...
33 out of 33 files passed
* Checking sys-libs/libutempter-1.1.5 ...
17 out of 17 files passed
* Checking sys-libs/mtdev-1.1.3 ...
18 out of 18 files passed
* Checking sys-libs/ncurses-5.9-r2 ...
3675 out of 3675 files passed
* Checking sys-libs/pam-1.1.6-r2 ...
355 out of 355 files passed
* Checking sys-libs/readline-6.2_p1 ...
61 out of 61 files passed
* Checking sys-libs/timezone-data-2013b ...
1845 out of 1845 files passed
* Checking sys-libs/zlib-1.2.7 ...
38 out of 38 files passed
|
Since it brought up nsswitch.conf:
| Code: | 1 #ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $
2 #
3 # An example file that could be copied over to /etc/nsswitch.conf; it
4 # uses LDAP conjunction with files.
5 #
6 # "hosts:" and "services:" in this file are used only if the
7 # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
8
9 # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
10 passwd: files ldap
11 group: files ldap
12
13 # consult files/dns first, we will need it to resolve the LDAP host. (If we
14 # can't resolve it, we're in infinite recursion, because libldap calls
15 # gethostbyname(). Careful!)
16 hosts: files dns #ldap
17
18 # LDAP is nominally authoritative for the following maps.
19 services: files
20 networks: files
21 protocols: files
22 rpc: files
23 ethers: files
24
25 # no support for netmasks, bootparams, publickey yet.
26 netmasks: files
27 bootparams: files
28 publickey: files
29 automount: files
30
31 # I'm pretty sure nsswitch.conf is consulted directly by sendmail,
32 # here, so we can't do much here. Instead, use bbense's LDAP
33 # rules ofr sendmail.
34 aliases: files
35 sendmailvars: files
36
37 # Note: there is no support for netgroups on Solaris (yet)
38 netgroup: files
|
Hopefully someone spots something. Despite my delay in getting back, this is bothering me a lot and if not for a mountain of other issues, I would be on it.
Thank you again and I much appreciate any thought on this issue. |
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Fri Oct 11, 2013 4:29 am Post subject: |
|
|
I do not know if this helps, but here is the messages I get when I do an su and press enter:
| Code: | Oct 10 23:21:49 [su] pam_unix(su:auth): authentication failure; logname=xxmy_userxx uid=1001 euid=0 tty=/dev/pts/1 ruser=xxmy_userxx rhost= user=root
Oct 10 23:21:49 [su] Successful su for root by xxmy_userxx
Oct 10 23:21:49 [su] + /dev/pts/1 xxmy_userxx:root
Oct 10 23:21:49 [su] pam_unix(su:session): session opened for user root by xxmy_userxx(uid=1001) |
I do not think it is an su problem, as I can log in to a bash console, Display Manager and SSH (providing my correct Auth Token) without using any password.
Here is a login at tty2:
| Code: | Oct 10 23:26:43 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost= user=xxmy_userxx
Oct 10 23:26:43 [login] pam_unix(login:session): session opened for user xxmy_userxx by LOGIN(uid=0) |
|
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Fri Oct 11, 2013 5:44 am Post subject: |
|
|
You should have a /etc/pam.d/su file - here's an example:
| Code: | #%PAM-1.0
auth sufficient pam_rootok.so
# http://forums.gentoo.org/viewtopic-p-7112394.html#7112394
# Uncomment the following line to implicitly trust users in the "wheel" group
auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so |
|
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Fri Oct 11, 2013 1:39 pm Post subject: |
|
|
It is not limited to su, though that is where I first discovered the issue and therefore named this post.
Here is my /etc/pam.d/su:
| Code: | 1 #%PAM-1.0
2
3 auth sufficient pam_rootok.so
4
5 # If you want to restrict users begin allowed to su even more,
6 # create /etc/security/suauth.allow (or to that matter) that is only
7 # writable by root, and add users that are allowed to su to that
8 # file, one per line.
9 #auth required pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow
10
11 # Uncomment this to allow users in the wheel group to su without
12 # entering a passwd.
13 #auth sufficient pam_wheel.so use_uid trust
14
15 # Alternatively to above, you can implement a list of users that do
16 # not need to supply a passwd with a list.
17 #auth sufficient pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass
18
19 # Comment this to allow any user, even those not in the 'wheel'
20 # group to su
21 auth required pam_wheel.so use_uid
22
23 auth include system-auth
24
25 account include system-auth
26
27 password include system-auth
28
29 session include system-auth
30 session required pam_env.so
31 session optional pam_xauth.so
32 |
Here is me logging in via SSH. It did not like my 2FA token the first time and rejected me, the 2nd attempt, it let me in. Both times my password was incorrect.
| Code: | Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Version;Remote: 192.168.xx.xx-65469;Protocol: 2.0;Client: PuTTY_Release_0.60
Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Kex;Remote: 192.168.xx.xx-65469;Enc: aes256-ctr;MAC: hmac-sha1;Comp: none [preauth]
Oct 11 08:23:14 [sshd] SSH: Server;Ltype: Authname;Remote: 192.168.xx.xx-65469;Name: xxmy_userxx [preauth]
Oct 11 08:23:22 [sshd(pam_google_authenticator)] Invalid verification code
Oct 11 08:23:24 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx user=xxmy_userxx
Oct 11 08:23:26 [sshd] error: PAM: Cannot make/remove an entry for the specified session for xxmy_userxx from 192.168.xx.xx
Oct 11 08:23:48 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx user=xxmy_userxx
Oct 11 08:23:48 [sshd] Accepted keyboard-interactive/pam for xxmy_userxx from 192.168.xx.xx port 65469 ssh2
Oct 11 08:23:48 [sshd] pam_unix(sshd:session): session opened for user xxmy_userxx by (uid=0) |
Is there some more debugging I can turn on? I am going to research that, as I have time. Not sure I have a good direction to go here, but that might turn up something. Thank you. |
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Fri Oct 11, 2013 6:40 pm Post subject: |
|
|
In trying to troubleshoot this further, even SASL authenticating against the LDAP tree authenticates successfully with the wrong password. I did, since my last post, upgrade OpenLDAP, as it is segfaulting whenever I try to delete or change information. At least with the latest PHPLDAPAdmin or ldapdelete. It still segfaults after the update.
| Code: | | [577421.967659] slapd[20590]: segfault at 7fb42aee25a7 ip 00007fb32a414362 sp 00007fb30ee94520 error 6 in libdb-4.8.so[7fb32a2c5000+190000] |
That is probably a different issue and different ticket. But it does seem that at the LDAP layer, authentication is working properly. If I type in the wrong password, it gives me "Invalid Credentials (49)". So despite the OpenLDAP issues, it seems to be an issue with SASL and PAM. Seems unlikely to be both. I am just not sure what is the common piece, other than they both authenticate against LDAP.
I am learning a lot about PAM in the process. I never really paid it much attention, but it now strikes me that it is one more place I can really lock down the authentication on my box... Once I get it so it does not authenticate every password. |
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Fri Oct 11, 2013 9:32 pm Post subject: Possibly Solved |
|
|
I upgraded sys-libs/pambase and replaced most, but not all, of my pam scripts. I also remerged sys-libs/pam and upgraded sys-apps/shadow. The issue seems to be resolved. All the authentication that I have tested so far seems to be working. I am going to leave this out for a day and try and thoroughly test all scenarios and then I will mark it solved. In case it was the system-auth file, here is the new one:
| Code: | auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account required pam_unix.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocre$
password required pam_unix.so try_first_pass use_authtok nullok s$
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
|
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21586
|
| Posted: Fri Oct 11, 2013 9:46 pm Post subject: |
|
|
| Your working configuration is missing pam_ldap.so. Given your other comments about OpenLDAP problems, perhaps it was improperly returning success in some error case. |
|
| Back to top |
|
|
jgruen
n00b
Joined: 06 Sep 2005
Posts: 23
|
| Posted: Sat Oct 12, 2013 10:23 pm Post subject: |
|
|
I learned in my research, that with NSS setup for LDAP and 'getent shadow' returning all of the LDAP users, I really do not need to tie PAM to LDAP. I do wonder if there is a version mismatch and that something might be generating an error, but on error, it is giving a success message. I am going to rebuild sys-auth/pam_ldap, as it has not been reinstalled since 8/11/2012, and test it, just because I am curious. I am not sure when I will get to it. I had hoped today, but the day is already too packed.
Everything does seem to be working as it should. Thank you for all of your thoughts on the matter. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
