Pam checking UID => 1000, How to disable

Support for security such as Firewalls and securing linux
lightman47
Posts: 536
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Pam checking UID => 1000, How to disable

Postby lightman47 » 2017/03/10 23:03:48

The proper solution for me is to have the users change uids.
Until that can happen I'll just have the limit set lower.


Having done this a couple times when I switched from Fedora 18 to CentOS 7, it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs. Time consuming = YES - it has to hit every file, ESPECIALLY shares on shared drives; Difficult = not at all. It was 'sweet'. By the way, the Users don't even know about it (well, unless one is logged in while your changes are taking place).

If interested, I can give you the two FIND commands (I got from another forum user, but perhaps not this forum - don't remember).
:)

azzid
Posts: 13
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Postby azzid » 2017/03/11 10:28:14

lightman47 wrote:it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs


Thanks for the kind offer to help with the find. Unfortunately that won't help me. The reason I'm not going down your described route is twofold:

  1. My users/groups are not in local files, but ldap. I'm not in control of the ldap data.
  2. My users files are not local, they're on network storage. I can't chmod their networked data.

Hence the delay making the workaround feasible.

pickabout
Posts: 1
Joined: 2017/03/20 01:28:54

Re: Pam checking UID => 1000, How to disable

Postby pickabout » 2017/03/20 01:37:32

Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet


Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary

azzid
Posts: 13
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Postby azzid » 2017/03/20 16:53:21

pickabout wrote:Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet


Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary


No Mary, that's not true. As I stated before:

azzid wrote:It should be noted however, that as OP suspected, authconfig does read login.defs:

Code: Select all

[root@yolow ~]# grep UID_MIN /etc/login.defs
UID_MIN                  1000
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
account     sufficient    pam_succeed_if.so uid < 1000 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
[root@yolow ~]# vim /etc/login.defs
[root@yolow ~]# grep UID_MIN /etc/login.defs
UID_MIN                  500
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
account     sufficient    pam_succeed_if.so uid < 500 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid


Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.

mastrblastr
Posts: 2
Joined: 2017/06/16 11:09:19

Re: Pam checking UID => 1000, How to disable

Postby mastrblastr » 2017/06/16 11:32:06

Hello,

I had the same problem, on SL7.3 introduced by a "yum groupinstall 'Server with GUI'" from a minimal installation...

try the following change, problem might be solved:

/etc/ssh/sshd_config
"GSSAPICleanupCredentials no" => "GSSAPICleanupCredentials yes"

systemctl restart sshd

I cannot explain myself how this could interfere with PAM Stack but it seemingly does (in my case) and i wont waste any time researching awkwardness.
Someone with knowledge about this topic could enlighten us all here.
Might be worth mentioning that my system uses Vintela Authentication Services which of course hooks into PAM Stack somehow.

#-------------

On a sidenote changing /etc/pam.d/password-auth and commenting "auth requisite pam_succeed_if.so uid >= 1000 quiet_success" does also work and will be automatically represented by "authconfig" in /etc/pam.d/password-auth-ac which would make it update safe? Disclaimer: Im not sure that i understood this correctly.

On another sidenote, please anyone smarter than me explain where the "hard" gain in security is by not letting root login, im not saying theres nothing to gain, i simply dont see any "real" benefit.

Regards

mastrblastr
Posts: 2
Joined: 2017/06/16 11:09:19

Re: Pam checking UID => 1000, How to disable

Postby mastrblastr » 2017/06/16 11:36:14

Might be worth mentioning my sshd versions:

libssh2.x86_64 1.4.3-10.el7_2.1 @anaconda/7.3
openssh.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-clients.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-server.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs