Page 3 of 4

Re: Pam checking UID => 1000, How to disable

Posted: 2017/03/10 23:03:48
by lightman47
The proper solution for me is to have the users change uids.
Until that can happen I'll just have the limit set lower.
Having done this a couple times when I switched from Fedora 18 to CentOS 7, it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs. Time consuming = YES - it has to hit every file, ESPECIALLY shares on shared drives; Difficult = not at all. It was 'sweet'. By the way, the Users don't even know about it (well, unless one is logged in while your changes are taking place).

If interested, I can give you the two FIND commands (I got from another forum user, but perhaps not this forum - don't remember).

Re: Pam checking UID => 1000, How to disable

Posted: 2017/03/11 10:28:14
by azzid
lightman47 wrote:it isn't as hard as it sounds. It involved (one at a time) changing the user and group IDs in /etc/group and /etc/passwd , then running a FIND command for each user, then group to change file ownership/group IDs
Thanks for the kind offer to help with the find. Unfortunately that won't help me. The reason I'm not going down your described route is twofold:
  1. My users/groups are not in local files, but ldap. I'm not in control of the ldap data.
  2. My users files are not local, they're on network storage. I can't chmod their networked data.
Hence the delay making the workaround feasible.

Re: Pam checking UID => 1000, How to disable

Posted: 2017/03/20 01:37:32
by pickabout
Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary

Re: Pam checking UID => 1000, How to disable

Posted: 2017/03/20 16:53:21
by azzid
pickabout wrote:Look at the files in /etc/pam.d and do a search for 1000 in all of those files.

Code: Select all

/etc/pam.d/ # grep 1000 *ac
fingerprint-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
password-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
password-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
smartcard-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
system-auth-ac:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
system-auth-ac:account     sufficient    pam_succeed_if.so uid < 1000 quiet
Edit those files and change the 1000 to a number smaller than the smallest UID that you have.

-Mary
No Mary, that's not true. As I stated before:
azzid wrote:It should be noted however, that as OP suspected, authconfig does read login.defs:

Code: Select all

[root@yolow ~]# grep UID_MIN /etc/login.defs 
UID_MIN                  1000
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
account     sufficient    pam_succeed_if.so uid < 1000 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
[root@yolow ~]# vim /etc/login.defs
[root@yolow ~]# grep UID_MIN /etc/login.defs 
UID_MIN                  500
SYS_UID_MIN               201
[root@yolow ~]# authconfig --updateall
[root@yolow ~]# grep uid /etc/pam.d/password-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
account     sufficient    pam_succeed_if.so uid < 500 quiet
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.

Re: Pam checking UID => 1000, How to disable

Posted: 2017/06/16 11:32:06
by mastrblastr
Hello,

I had the same problem, on SL7.3 introduced by a "yum groupinstall 'Server with GUI'" from a minimal installation...

try the following change, problem might be solved:

/etc/ssh/sshd_config
"GSSAPICleanupCredentials no" => "GSSAPICleanupCredentials yes"

systemctl restart sshd

I cannot explain myself how this could interfere with PAM Stack but it seemingly does (in my case) and i wont waste any time researching awkwardness.
Someone with knowledge about this topic could enlighten us all here.
Might be worth mentioning that my system uses Vintela Authentication Services which of course hooks into PAM Stack somehow.

#-------------

On a sidenote changing /etc/pam.d/password-auth and commenting "auth requisite pam_succeed_if.so uid >= 1000 quiet_success" does also work and will be automatically represented by "authconfig" in /etc/pam.d/password-auth-ac which would make it update safe? Disclaimer: Im not sure that i understood this correctly.

On another sidenote, please anyone smarter than me explain where the "hard" gain in security is by not letting root login, im not saying theres nothing to gain, i simply dont see any "real" benefit.

Regards

Re: Pam checking UID => 1000, How to disable

Posted: 2017/06/16 11:36:14
by mastrblastr
Might be worth mentioning my sshd versions:

libssh2.x86_64 1.4.3-10.el7_2.1 @anaconda/7.3
openssh.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-clients.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs
openssh-server.x86_64 6.6.1p1-35.el7_3 @sl-fastbugs

Re: Pam checking UID => 1000, How to disable

Posted: 2018/04/04 19:29:04
by mexia27
Error message :pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "prince"

Solution:
I went to the AllowUser in the ssh config file and realized the user name was misspelled so i changed it and restarted the sshd daemon. And user Prince was able to login successfully.
Thank you

Re: Pam checking UID => 1000, How to disable

Posted: 2018/08/18 10:10:01
by v_melnik
azzid wrote:
2017/03/20 16:53:21
Changing /etc/login.defs and running authconfig --updateall changes the limit in a way that won't get overwritten.
This solution is the most reliable, thanks for sharing!

I'd like to share a story. I have a template of CentOS-7.2-x64 that I had preserved more than a year ago. So, when I need a CentOS-7.x-based instance, I usually deploy a virtual machine with this template, log in and run fdisk to delete and create the vda2 partition to resize it. Then I always reboot the OS to make it understand that the vda2 has new parameters, log in again and run pvresize, lvextend and other tools (including yum to update all the packages, of course).

Yesterday an odd thing happen. I deployed a new virtual machine, successfully logged in as root for the first time, made some changes, ran reboot and... was unable to log-in as root anymore. Long story short, I've found these lines in /var/log/secure and the solution kindly provided by you (again, thank you!)

But there was a thing I couldn't understand: why did it never happen before? This template has been created about 20 months ago, we deployed more than 100 virtual machines with it and never ran into this problem. So I felt an urge to sort it out.

I've created a virtual machine based on the same template and tried to reproduce the whole sequence of operations I performed last time, but this time I restarted the OS after each step to understand what step was the trigger. At some point I had the following configuration in the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

Code: Select all

TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="no"
IPV6_AUTOCONF="no"
IPV6_DEFROUTE="no"
IPV6_PEERDNS="no"
IPV6_PEERROUTES="no"
IPV6_FAILURE_FATAL="no"
NAME="eth0"
UUID="***0"
DEVICE="eth0"
ONBOOT="yes"
IPADDR="***1.***2.***3.xxx4"
NETMASK="255.255.255.0"
GATEWAY="***1.***2.***3.***5"
At this point I restarted the OS and things were fine: I'd successfully logged in as root.

Then I added a line that became the trigger:

Code: Select all

IPADDR2="***1.***2.***3.***6"
After this step I ran reboot and then I wasn't able to log in as root anymore!

Now I'm feeling puzzled: what exactly changed when I added that only line?

If anyone has ideas, please, do share.

Thanks!

Re: Pam checking UID => 1000, How to disable

Posted: 2018/08/18 15:25:34
by TrevorH
If you are hitting this problem logging in as root and getting the message about uid >= 1000 then you have something else wrong. Root can always login and the only time it hits this error is if you have something else wrong. Commenting or changing the rule about uid >= 1000 is not the correct solution.

Re: Pam checking UID => 1000, How to disable

Posted: 2018/08/19 06:39:24
by v_melnik
I agree, it definitely is, but I still can't understand why it happens right after adding an additional IP-address to the primary NIC. :-)