View previous topic :: View next topic |
Author |
Message |
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Tue Feb 14, 2023 6:30 pm Post subject: possible sudo / pam / faillock timer discrepancy |
|
|
Got a weird one I noticed recently:
The first time I use sudo, works fine. Prompts me for my password like it should based on my sudoers configuration. I can immediately use it again w/o an issue (as it should).
If I try to use sudo several minutes later, it *SHOULD* prompt me to re-enter my password to reauthenticate and reset the cached permission. What its doing instead is not asking me, throwing a password error 3 times in a row and then the default faillock configuration is locking me out for 15 minutes.
My assumption is that I have a discrepancy somewhere in a timeout that's leading to a conflict.
Any ideas? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Feb 14, 2023 7:02 pm Post subject: |
|
|
Plz post your
Code: |
/etc/pam.d/system-auth
|
and your sudoers entry for your user.
Also have you been playing with ldap and/or kerberos? _________________
|
|
Back to top |
|
|
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Tue Feb 14, 2023 7:08 pm Post subject: |
|
|
The only thing I change from the default in sudoers is giving everyone in the wheel group access to root:
Code: | %wheel ALL=(ALL:ALL) ALL |
system-auth
Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_unix.so try_first_pass nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
|
I have changed nothing in ldap or kerberos. Gentoo rootfs but hybrid kernel (non- gentoo sources) |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Feb 14, 2023 7:18 pm Post subject: |
|
|
Maybe not relevant but mine
Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
|
has also the pw quality line
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
Did you deliberately remove it?
Is your user member of wheel group?
Try switching to root and change your user passwd back and forth.
Also check /etc/passwd and /etc/shadow for weird things.
Also plz post your
Code: |
cat /etc/nsswitch.conf
and
grep -ir wheel /etc/pam.d
and
emerge -pv sudo
|
Try
Code: |
emerge -1av pam pambase sudo
|
_________________
|
|
Back to top |
|
|
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Tue Feb 14, 2023 7:53 pm Post subject: |
|
|
yes, my user is in the wheel group. Yes, I deliberately disabled the passwdqc use flag on this sytem. I will not re-enable it (for now at least) because I highly doubt its causing this. That use flag enables dictionary style complexity requirements for passwords creation. While I may attempt recompiling pambase eventually to rule it out, I'm not there yet.
nsswitch.conf
Code: |
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
# compat Use /etc files plus *_compat pseudo-db
# db Use the pre-processed /var/db files
# dns Use DNS (Domain Name Service)
# files Use the local files in /etc
# hesiod Use Hesiod (DNS) for user lookups
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
# ldap Use LDAP directory server
# myhostname Use systemd host names
# mymachines Use systemd machine names
# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD
# resolve Use systemd resolved resolver
# sss Use System Security Services Daemon (sssd)
# systemd Use systemd for dynamic user option
# winbind Use Samba winbind support
# wins Use Samba wins support
# wrapper Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# lead to unexpected behaviour, especially with how long
# entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd: db files
# shadow: db files
# group: db files
# In alphabetical order. Re-order as required to optimize peformance.
aliases: files
ethers: files
group: files
gshadow: files
hosts: files dns
# Allow initgroups to default to the setting for group.
# initgroups: files
netgroup: files
networks: files dns
passwd: files
protocols: files
publickey: files
rpc: files
shadow: files
services: files
|
Code: |
$ grep -ir wheel /etc/pam.d
/etc/pam.d/runuser:auth required pam_wheel.so use_uid
/etc/pam.d/su:auth required pam_wheel.so use_uid
|
Pambase use flags below. (aww... it's its birthday )
Code: |
sys-auth/pambase-20220214::gentoo USE="elogind* nullok sha512 -caps -debug -gnome-keyring -homed -minimal -mktemp (-pam_krb5) (-pam_ssh) -passwdqc -pwhistory -pwquality -securetty (-selinux) -systemd -yescrypt"
|
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Feb 14, 2023 9:36 pm Post subject: |
|
|
JumboAg wrote: | Yes, I deliberately disabled the passwdqc use flag on this sytem. I will not re-enable it (for now at least) because I highly doubt its causing this. | That may not be the cause, but there is one very quick an easy way to eliminate that as the possible cause. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 926 Location: Richmond Hill, Canada
|
Posted: Tue Feb 14, 2023 10:30 pm Post subject: |
|
|
JumboAg,
what version your sudo? there are changes specific for sudo + pam.
How your 2nd or any subsequent sudo invoked? on same shell session? on same tty? Because sudo use a timestamp file to cache. and the timestamp have information for where and when. So it need to match the timestamp in order for sudo to know if auth request need to start.
Depend on you goal on how you wish sudo behaves there are few options- If you just wish continue sudo without prompt for password before auth timeout you can try
- run "sudo -v" to extent the cache.
- setup pam_timestamp module which is design to work with sudo
man pam_timestamp: | PAM_TIMESTAMP(8) Linux-PAM Manual PAM_TIMESTAMP(8)
NAME
pam_timestamp - Authenticate using cached successful authentication
attempts
SYNOPSIS
pam_timestamp.so [timestampdir=directory] [timestamp_timeout=number]
[verbose] [debug]
DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts,
and allows you to use a recent successful attempt as the basis for
authentication. This is similar mechanism which is used in sudo. |
You just want sudo prompt for password after cache expired.- You need to review your /etc/sudoers for options
- pam_service -- PAM "service name" will be use if pam_login_service is not defined. default is 'sudo'
- pam_login_service -- PAM "service name" used for configure PAM with sudo
- timestamp_timeout -- Number of minutes that can elapse before sudo will ask for a password again
- noninteractive_auth -- should be off and default is off
- pam_acct_mgmt -- this is something to play with. It may help for changing the password prompting problem.
- We can discuss more if you consider above and just want to try different things.
|
|
Back to top |
|
|
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Wed Feb 15, 2023 1:56 pm Post subject: |
|
|
I'm looking for option 2. I have no problem reauthenticating after a timer expires. It's just not prompting me to reenter my credentials when it does.
Code: | Sudo version 1.9.12p2
Configure options: --prefix=/usr --build=aarch64-unknown-linux-gnu --host=aarch64-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --datarootdir=/usr/share --disable-static --docdir=/usr/share/doc/sudo-1.9.12_p2 --htmldir=/usr/share/doc/sudo-1.9.12_p2/html --with-sysroot=/ --libdir=/usr/lib64 --disable-hardening --disable-python --enable-tmpfiles.d=/usr/lib/tmpfiles.d --enable-zlib=system --with-editor=/usr/libexec/editor --with-env-editor --with-plugindir=/usr/lib64/sudo --with-rundir=/run/sudo --with-vardir=/var/db/sudo --without-linux-audit --without-opie --disable-gcrypt --enable-nls --disable-sasl --enable-openssl --without-ldap --without-ldap_conf_file --without-insults --without-all-insults --with-pam --with-pam-login --with-secure-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin --without-selinux --with-sendmail --without-skey --without-sssd
Sudoers policy plugin version 1.9.12p2
Sudoers file grammar version 48
Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/db/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: Password:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin
Path to the editor for use by visudo: /usr/libexec/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for safety:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
*=()*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XDG_CURRENT_DESKTOP
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo-i
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Sudo log server timeout in seconds: 30
Enable SO_KEEPALIVE socket option on the socket connected to the logserver
Verify that the log server's certificate is valid
Set the pam remote user to the user running sudo
The format of logs to produce: sudo
Allow an intercepted command to run set setuid or setgid programs
The largest size core dump file that may be created (in bytes): 0,0
Store plaintext passwords in I/O log input
List of regular expressions to use when matching a password prompt
[Pp]assword[: ]*
The mechanism used by the intercept and log_subcmds options: trace
Attempt to verify the command and arguments after execution
Local IP address and netmask pairs:
192.168.86.6/255.255.255.0
Sudoers I/O plugin version 1.9.12p2
Sudoers audit plugin version 1.9.12p2
|
Code: |
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d
|
Both files should be default except for the wheel line in sudoers. |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 926 Location: Richmond Hill, Canada
|
Posted: Wed Feb 15, 2023 3:39 pm Post subject: |
|
|
JumboAg.
Thanks for trusting me for sharing this information.
I will need to do research to see how to make it prompt for password after cache expiration.
In your /etc/pam.d do you have file "sudo" and "sudo-i"? if you do can you share them? |
|
Back to top |
|
|
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Wed Feb 15, 2023 6:36 pm Post subject: |
|
|
both files are the stock default:
Code: | # File autogenerated by pamd_mimic in pam eclass
auth substack system-auth
account substack system-auth
session substack system-auth
|
|
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 926 Location: Richmond Hill, Canada
|
Posted: Wed Feb 15, 2023 11:27 pm Post subject: |
|
|
JumboAg,
Sorry, take me a while to try to produce similar errors. However I have two conditions that will produce similar error,
Code: | $ sudo -l
Password:
sudo: timed out reading password #[ Timeout after 5 minutes ]
sudo: a password is required
$ sudo -l
Password:
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts |
Code: | $ sudo -l
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts |
In condition 1, I let sudo set on wait for password until timeout then ran sudo again, it gave me the error.
In condition 2. is kind of soon after condition 1. I not even get to ask for password.
So which is more alike to you case?
Is it possible for you to reproduce for your condition? |
|
Back to top |
|
|
JumboAg Apprentice
Joined: 03 Mar 2007 Posts: 191 Location: Dallas, TX
|
Posted: Thu Feb 16, 2023 2:37 am Post subject: |
|
|
I am condition 2.
The first time I use sudo, works fine. If within the same tty session I use sudo again some time later, it will give the sorry try again error X times in a row without ever prompting me to enter a password. It then locks me out due to too many unsuccessful password attempts.
I can then log directly in as root (or su directly to root) and run faillock to clear the lockout or wait until it unlocks my regular user account. |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 926 Location: Richmond Hill, Canada
|
Posted: Thu Feb 16, 2023 2:09 pm Post subject: |
|
|
JumboAg,
So based on my test I cannot find code logic path will lead to condition you described in both sudo and PAM source code. So without some way to reproduce I am not able to help.
My guess is that before your 2nd sudo call your system already in faillock mode. if you can reproduce this condition on demand I suggest you try prior you issue 2nd sudo command try just "faillock" in same session. If "faillock" return 3 lines or more this indicate something have already tried auth 3 or more times that create the condition.
Another possible debug solution is turn on debug mode for sudoers plugin. You can edit /etc/sudo.conf, at the bottom of the file, there should be a line comment out like this Code: | #Debug sudoers.so /var/log/sudoers_debug all@debug | just remove the leading '#' so you can get a /var/log/sudo_debug output. you will find lines like "pam_authenticate: 7 @ sudo_pam_verify() ./auth/pam.c:332" this indicate PAM reply to sudo for auth fail. the "7" is PAM_AUTH_ERR. this usually cause by the pam modules not able to verify password or account having issue (for example being lock out).
The pam_faillock module does not actually set "locked" linux password database account. it just remember the lock condition in /var/run/faillock/<account_name>. So it is possible for something that NOT use PAM will remain able to login/auth. |
|
Back to top |
|
|
|