Pam checking UID => 1000, How to disable

Support for security such as Firewalls and securing linux
T_I
Posts: 5
Joined: 2017/01/12 15:52:13

Pam checking UID => 1000, How to disable

Post by T_I » 2017/01/12 16:45:05

Hello,

I just had my first run-in with the tightened security in CentOS 7 and I was wondering, how do I disable this (topic) correctly?

The situation:

* 2 servers, both only accessible via ssh for shell access for the admins (iptables blocks the rest, fail2ban blocks probes)
* Each server has ssh configured with root access without-password
* Each server had root in AllowedUsers with @<ip> of the other server
* Each server needs access to the other via rsync over ssh to the root account to do a backup (dirvish)

However, both servers block access on that account, as it's UID is < 1000. I've edited the pam configurations for auth and passwd and replaced every UID chack on 1000 with a check on UID 0 and removes authconfig to prevent accidental 'repair' of this. However, I'm not the only admin and the others could reinstall authconfig and start working with that.

How do I disable this check on UID by pam correctly, so that even installing and using authconfig doesn't kill off the ability for each server to reach the other for the backup? Changing the MIN_UID in /etc/login.conf won't do the trick, as adduser needs that value.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Pam checking UID => 1000, How to disable

Post by TrevorH » 2017/01/12 17:05:02

What is the error that you get? It's perfectly possible to ssh to CentOS 7 systems with the root account using without-password without needing to change anything at all.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Pam checking UID => 1000, How to disable

Post by aks » 2017/01/12 17:22:59

The PAM rules are stored in /etc/pam.d
But I do not recommend you change them manually and I do not recommend you comment out this rule (for whatever reason).

T_I
Posts: 5
Joined: 2017/01/12 15:52:13

Re: Pam checking UID => 1000, How to disable

Post by T_I » 2017/01/13 09:35:54

This is the error I get:

Code: Select all

sshd[8673]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
I've traced it down to this line in /etc/pam.d/system-auth and password-auth

Code: Select all

requisite     pam_succeed_if.so uid >= 1000 quiet_success
Which results in rejecting the ssh key added to authorized_keys and requiring the entry of a password.
Changing the value to 0 results in the required behaviour, but as soon as an automated proces (authconfig for one) touched the files, it gets reset.

As I know it's not recommended to change pam.d files, but it's the only way I found to be able to enter the systeem on the root account without interaction.
That's the whole reason for the topic, how do I do this correctly, so whatever automated process pops up, it stays as configured. (ie, were does authconfig and other processed get the 1000 from, I hope not /etc/login.defs UID_MIN)

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Pam checking UID => 1000, How to disable

Post by lightman47 » 2017/01/13 12:48:58

Food for thought - it's the FAILURE of that interaction that Fail2ban sees in the secure log and acts upon.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Pam checking UID => 1000, How to disable

Post by TrevorH » 2017/01/13 14:16:08

I checked, I have that line yet I can still ssh as root to a machine using my root key. Look in /var/log/secure - are you sure you're not getting other errors like the inability to read the key files?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Pam checking UID => 1000, How to disable

Post by aks » 2017/01/13 17:14:11

Ditto (what Trevor said). The problem lays elsewhere - for example PermitRoot in /etc/ssh/sshd_config?
Anyway logging in as root is still considered bad security practice. You're better off starting your session as a "lower" account and elevating privileges/capacities as needed.

T_I
Posts: 5
Joined: 2017/01/12 15:52:13

Re: Pam checking UID => 1000, How to disable

Post by T_I » 2017/01/16 15:31:03

Sorry, but no, fail2ban has the from ip in the ignoreip list and as soon as I want to login with the ssh key, the error is exactly

requirement "uid >= 1000" not met by user "root"

This is 'solved' by killing the pam rule quoted.

There are no other errors, just pam messing up. (or to be precise, doning exactly what someone thought would be a good idea) My problem is that I don't know how to kill off that 'good idea' as it's a terrible idea. When people want to allow root access with a key, without requiring interaction, they should be able to, not being forced by someone to hack around this pam setup.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Pam checking UID => 1000, How to disable

Post by TrevorH » 2017/01/16 16:11:26

But I'm telling you that I have that exact same pam line and CAN access my systems using root and keys. Your diagnosis of the problem is incomplete - it is not the source of the problem.

Code: Select all

/etc pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid <= 1500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

sebastian.koehler
Posts: 1
Joined: 2017/01/27 07:44:18

Re: Pam checking UID => 1000, How to disable

Post by sebastian.koehler » 2017/01/27 07:51:09

Hi TrevorH,

the difference is the SELinux status. Login as root works fine (without former modifications to PAM) in case SELinux is disabled on the host.

Regards,
Sebastian Koehler

Post Reply