On Fri, Aug 21, 2009 at 11:06 AM, Guillaume
CHARDIN<guillaume.chardin@xxxxxxxxx> wrote:
> hi everyone, I hope someone can help me on this...
>
> I modify the pam configuration today to accept connection from a user
> with uid&gid = 0. In /etc/pam.d/system-auth previously have this lines
> :
>
> ###########################################################################
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> ###################################################################################
> and i modify the auth part to :
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth sufficient pam_succeed_if.so uid = 0
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
>
> I'm not sure about the consequences of this modifications.
> But tell me if i'm wrong, but
> a) the 3rd line "auth sufficient pam_succeed_if.so uid = 0"
> permit user with uid lower than 0 to authenticate against the system
> and log it
> b) the 4th line permit login to user with uid more than 500. do not
> log it AND if any of other auth "method" have failed it return it to
> the pgm making the call to pam.
>
> right ?
>
> Thanks for your help.
>
> --
> Guillaume
______
I'm not very clear what you mean by "accept connection from a user
> with uid&gid = 0". You'd have to do something on purpose
to lock root (uid=0) out of the system.
I'll try to share my limited understanding of PAM.
"auth" merely establishes the user identity -is he who he claims to be?
The line
"auth requisite pam_succeed_if.so uid >= 500 quiet"
is not to permit login, but rather to establish a user's
identity; to be precise, a user whose id is not that of a
system account.
based on the line
"auth required pam_deny.so"
The users whose IDs are listed in this block can be denied
accesss (pam_deny.so) if their identity is not properly confirmed.
Later, these lines
"account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so"
translate into "are you root or a system account? no
problem! go right ahead!"; otherwise, some checks will run to
further qualify the incoming user.
BTW, if a pam file is misconfigured one could end up being locked out
of the system.
PAM can be a pain. For further understanding read some man pages.
man pam_succeed_if
man pam_permit
man pam_deny
HTH,
~af
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
