Pam checking UID => 1000, How to disable

Support for security such as Firewalls and securing linux
lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Pam checking UID => 1000, How to disable

Post by lightman47 » 2017/03/10 23:03:48

The proper solution for me is to have the users change uids.
Until that can happen I'll just have the limit set lower.
Having done this a couple times when I switched from Fedora 18 to CentOS 7, it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs. Time consuming = YES - it has to hit every file, ESPECIALLY shares on shared drives; Difficult = not at all. It was 'sweet'. By the way, the Users don't even know about it (well, unless one is logged in while your changes are taking place).

If interested, I can give you the two FIND commands (I got from another forum user, but perhaps not this forum - don't remember).

azzid
Posts: 13
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Post by azzid » 2017/03/11 10:28:14

lightman47 wrote:it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs
Thanks for the kind offer to help with the find. Unfortunately that won't help me. The reason I'm not going down your described route is twofold:
  1. My users/groups are not in local files, but ldap. I'm not in control of the ldap data.
  2. My users files are not local, they're on network storage. I can't chmod their networked data.
Hence the delay making the workaround feasible.

pickabout
Posts: 1
Joined: 2017/03/20 01:28:54

Re: Pam checking UID => 1000, How to disable

Post by pickabout » 2017/03/20 01:37:32

Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary

azzid
Posts: 13
Joined: 2010/03/26 13:52:57

Re: Pam checking UID => 1000, How to disable

Post by azzid » 2017/03/20 16:53:21

pickabout wrote:Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary
No Mary, that's not true. As I stated before:
azzid wrote:It should be noted however, that as OP suspected, authconfig does read login.defs:

Code: Select all

[root@yolow ~]# grep UID_MIN /etc/login.defs 
UID_MIN                  1000
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
account     sufficient    pam_succeed_if.so uid < 1000 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
[root@yolow ~]# vim /etc/login.defs
[root@yolow ~]# grep UID_MIN /etc/login.defs 
UID_MIN                  500
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
account     sufficient    pam_succeed_if.so uid < 500 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.

mastrblastr
Posts: 2
Joined: 2017/06/16 11:09:19

Re: Pam checking UID => 1000, How to disable

Post by mastrblastr » 2017/06/16 11:32:06

Hello,

I had the same problem, on SL7.3 introduced by a "yum groupinstall 'Server with GUI'" from a minimal installation...

try the following change, problem might be solved:

/etc/ssh/sshd_config
"GSSAPICleanupCredentials no" => "GSSAPICleanupCredentials yes"

systemctl restart sshd

I cannot explain myself how this could interfere with PAM Stack but it seemingly does (in my case) and i wont waste any time researching awkwardness.
Someone with knowledge about this topic could enlighten us all here.
Might be worth mentioning that my system uses Vintela Authentication Services which of course hooks into PAM Stack somehow.

#-------------

On a sidenote changing /etc/pam.d/password-auth and commenting "auth requisite pam_succeed_if.so uid >= 1000 quiet_success" does also work and will be automatically represented by "authconfig" in /etc/pam.d/password-auth-ac which would make it update safe? Disclaimer: Im not sure that i understood this correctly.

On another sidenote, please anyone smarter than me explain where the "hard" gain in security is by not letting root login, im not saying theres nothing to gain, i simply dont see any "real" benefit.

Regards

mastrblastr
Posts: 2
Joined: 2017/06/16 11:09:19

Re: Pam checking UID => 1000, How to disable

Post by mastrblastr » 2017/06/16 11:36:14

Might be worth mentioning my sshd versions:

libssh2.x86_64 1.4.3-10.el7_2.1 @anaconda/7.3
openssh.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-clients.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-server.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs

mexia27
Posts: 1
Joined: 2018/04/04 19:20:44

Re: Pam checking UID => 1000, How to disable

Post by mexia27 » 2018/04/04 19:29:04

Error message :pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "prince"

Solution:
I went to the AllowUser in the ssh config file and realized the user name was misspelled so i changed it and restarted the sshd daemon. And user Prince was able to login successfully.
Thank you

v_melnik
Posts: 2
Joined: 2018/08/18 09:23:21

Re: Pam checking UID => 1000, How to disable

Post by v_melnik » 2018/08/18 10:10:01

azzid wrote:
2017/03/20 16:53:21
Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.
This solution is the most reliable, thanks for sharing!

I'd like to share a story. I have a template of CentOS-7.2-x64 that I had preserved more than a year ago. So, when I need a CentOS-7.x-based instance, I usually deploy a virtual machine with this template, log in and run fdisk to delete and create the vda2 partition to resize it. Then I always reboot the OS to make it understand that the vda2 has new parameters, log in again and run pvresize, lvextend and other tools (including yum to update all the packages, of course).

Yesterday an odd thing happen. I deployed a new virtual machine, successfully logged in as root for the first time, made some changes, ran reboot and... was unable to log-in as root anymore. Long story short, I've found these lines in /var/log/secure and the solution kindly provided by you (again, thank you!)

But there was a thing I couldn't understand: why did it never happen before? This template has been created about 20 months ago, we deployed more than 100 virtual machines with it and never ran into this problem. So I felt an urge to sort it out.

I've created a virtual machine based on the same template and tried to reproduce the whole sequence of operations I performed last time, but this time I restarted the OS after each step to understand what step was the trigger. At some point I had the following configuration in the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

Code: Select all

TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
IPV6_AUTOCONF="no"
IPV6_DEFROUTE="no"
IPV6_PEERDNS="no"
IPV6_PEERROUTES="no"
IPV6_FAILURE_FATAL="no"
NAME="eth0"
UUID="***0"
DEVICE="eth0"
ONBOOT="yes"
IPADDR="***1.***2.***3.xxx4"
NETMASK="255.255.255.0"
GATEWAY="***1.***2.***3.***5"
At this point I restarted the OS and things were fine: I'd successfully logged in as root.

Then I added a line that became the trigger:

Code: Select all

IPADDR2="***1.***2.***3.***6"
After this step I ran reboot and then I wasn't able to log in as root anymore!

Now I'm feeling puzzled: what exactly changed when I added that only line?

If anyone has ideas, please, do share.

Thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Pam checking UID => 1000, How to disable

Post by TrevorH » 2018/08/18 15:25:34

If you are hitting this problem logging in as root and getting the message about uid >= 1000 then you have something else wrong. Root can always login and the only time it hits this error is if you have something else wrong. Commenting or changing the rule about uid >= 1000 is not the correct solution.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

v_melnik
Posts: 2
Joined: 2018/08/18 09:23:21

Re: Pam checking UID => 1000, How to disable

Post by v_melnik » 2018/08/19 06:39:24

I agree, it definitely is, but I still can't understand why it happens right after adding an additional IP-address to the primary NIC. :-)

Post Reply