Pam checking UID => 1000, How to disable
Pam checking UID => 1000, How to disable
Hello,
I just had my first run-in with the tightened security in CentOS 7 and I was wondering, how do I disable this (topic) correctly?
The situation:
* 2 servers, both only accessible via ssh for shell access for the admins (iptables blocks the rest, fail2ban blocks probes)
* Each server has ssh configured with root access without-password
* Each server had root in AllowedUsers with @<ip> of the other server
* Each server needs access to the other via rsync over ssh to the root account to do a backup (dirvish)
However, both servers block access on that account, as it's UID is < 1000. I've edited the pam configurations for auth and passwd and replaced every UID chack on 1000 with a check on UID 0 and removes authconfig to prevent accidental 'repair' of this. However, I'm not the only admin and the others could reinstall authconfig and start working with that.
How do I disable this check on UID by pam correctly, so that even installing and using authconfig doesn't kill off the ability for each server to reach the other for the backup? Changing the MIN_UID in /etc/login.conf won't do the trick, as adduser needs that value.
I just had my first run-in with the tightened security in CentOS 7 and I was wondering, how do I disable this (topic) correctly?
The situation:
* 2 servers, both only accessible via ssh for shell access for the admins (iptables blocks the rest, fail2ban blocks probes)
* Each server has ssh configured with root access without-password
* Each server had root in AllowedUsers with @<ip> of the other server
* Each server needs access to the other via rsync over ssh to the root account to do a backup (dirvish)
However, both servers block access on that account, as it's UID is < 1000. I've edited the pam configurations for auth and passwd and replaced every UID chack on 1000 with a check on UID 0 and removes authconfig to prevent accidental 'repair' of this. However, I'm not the only admin and the others could reinstall authconfig and start working with that.
How do I disable this check on UID by pam correctly, so that even installing and using authconfig doesn't kill off the ability for each server to reach the other for the backup? Changing the MIN_UID in /etc/login.conf won't do the trick, as adduser needs that value.
Re: Pam checking UID => 1000, How to disable
What is the error that you get? It's perfectly possible to ssh to CentOS 7 systems with the root account using without-password without needing to change anything at all.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Pam checking UID => 1000, How to disable
The PAM rules are stored in /etc/pam.d
But I do not recommend you change them manually and I do not recommend you comment out this rule (for whatever reason).
But I do not recommend you change them manually and I do not recommend you comment out this rule (for whatever reason).
Re: Pam checking UID => 1000, How to disable
This is the error I get:
I've traced it down to this line in /etc/pam.d/system-auth and password-auth
Which results in rejecting the ssh key added to authorized_keys and requiring the entry of a password.
Changing the value to 0 results in the required behaviour, but as soon as an automated proces (authconfig for one) touched the files, it gets reset.
As I know it's not recommended to change pam.d files, but it's the only way I found to be able to enter the systeem on the root account without interaction.
That's the whole reason for the topic, how do I do this correctly, so whatever automated process pops up, it stays as configured. (ie, were does authconfig and other processed get the 1000 from, I hope not /etc/login.defs UID_MIN)
Code: Select all
sshd[8673]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Code: Select all
requisite pam_succeed_if.so uid >= 1000 quiet_success
Changing the value to 0 results in the required behaviour, but as soon as an automated proces (authconfig for one) touched the files, it gets reset.
As I know it's not recommended to change pam.d files, but it's the only way I found to be able to enter the systeem on the root account without interaction.
That's the whole reason for the topic, how do I do this correctly, so whatever automated process pops up, it stays as configured. (ie, were does authconfig and other processed get the 1000 from, I hope not /etc/login.defs UID_MIN)
-
- Posts: 1522
- Joined: 2014/05/21 20:16:00
- Location: Central New York, USA
Re: Pam checking UID => 1000, How to disable
Food for thought - it's the FAILURE of that interaction that Fail2ban sees in the secure log and acts upon.
Re: Pam checking UID => 1000, How to disable
I checked, I have that line yet I can still ssh as root to a machine using my root key. Look in /var/log/secure - are you sure you're not getting other errors like the inability to read the key files?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Pam checking UID => 1000, How to disable
Ditto (what Trevor said). The problem lays elsewhere - for example PermitRoot in /etc/ssh/sshd_config?
Anyway logging in as root is still considered bad security practice. You're better off starting your session as a "lower" account and elevating privileges/capacities as needed.
Anyway logging in as root is still considered bad security practice. You're better off starting your session as a "lower" account and elevating privileges/capacities as needed.
Re: Pam checking UID => 1000, How to disable
Sorry, but no, fail2ban has the from ip in the ignoreip list and as soon as I want to login with the ssh key, the error is exactly
requirement "uid >= 1000" not met by user "root"
This is 'solved' by killing the pam rule quoted.
There are no other errors, just pam messing up. (or to be precise, doning exactly what someone thought would be a good idea) My problem is that I don't know how to kill off that 'good idea' as it's a terrible idea. When people want to allow root access with a key, without requiring interaction, they should be able to, not being forced by someone to hack around this pam setup.
requirement "uid >= 1000" not met by user "root"
This is 'solved' by killing the pam rule quoted.
There are no other errors, just pam messing up. (or to be precise, doning exactly what someone thought would be a good idea) My problem is that I don't know how to kill off that 'good idea' as it's a terrible idea. When people want to allow root access with a key, without requiring interaction, they should be able to, not being forced by someone to hack around this pam setup.
Re: Pam checking UID => 1000, How to disable
But I'm telling you that I have that exact same pam line and CAN access my systems using root and keys. Your diagnosis of the problem is incomplete - it is not the source of the problem.
Code: Select all
/etc pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid <= 1500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 1
- Joined: 2017/01/27 07:44:18
Re: Pam checking UID => 1000, How to disable
Hi TrevorH,
the difference is the SELinux status. Login as root works fine (without former modifications to PAM) in case SELinux is disabled on the host.
Regards,
Sebastian Koehler
the difference is the SELinux status. Login as root works fine (without former modifications to PAM) in case SELinux is disabled on the host.
Regards,
Sebastian Koehler