SFTP tunnel: su root blocked by pam: requirement "uid >= 1000" not met

[michael600]

Hi
This problem has been previously described in the Centos Forums here, and is presented again here in what seems to be a different form.
In this case using centos 7, although its possible to su root via eg putty, when attempting an sftp tunneling session requiring an su root (because permitrootlogin in sshd_config is set to 'no'), access is denied. Lets say that the initial login is via 'user1' (ie a non root user setting up the sftp tunnel), and this completes successfully. But the second stage where effectively, su root is attempted, results in an 'access denied' message.
Logs indicate:

Code: Select all

 pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

On checking the uid, user1 is 1000 and root is 0
The wincscp program has the following SFTP config:
/usr/libexec/openssh/sftp-server
(have tried sudo /usr/libexec/openssh/sftp-server
sudo su -c /usr/libexec/openssh/sftp-server)
This is the full log detail if required:

Code: Select all

Nov 25 21:19:24 localhost sshd[25585]: Accepted password for hhgp from [external ip] port 48421 ssh2
Nov 25 21:19:24 localhost sshd[25585]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Nov 25 21:19:25 localhost sshd[25626]: Address 192.168.1.10 maps to localhost.localdomain, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 25 21:19:30 localhost sshd[25626]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.10  user=root
Nov 25 21:19:30 localhost sshd[25626]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 25 21:19:33 localhost sshd[25626]: Failed password for root from 192.168.1.10 port 57098 ssh2
Nov 25 21:20:04 localhost sshd[25626]: Connection closed by 192.168.1.10 port 57098 [preauth]
Nov 25 21:20:04 localhost sshd[25585]: pam_unix(sshd:session): session closed for user user1

Thanks to anyone who can help!
m600

[TrevorH]

I'm pretty sure you cannot sudo via sftp.

[michael600]

I'm pretty sure you cannot sudo via sftp.

no, I've been successfully doing this for a long time via the tunneling option in winscp. But its not working with centos 7 as the destination OS.
Have experimented and changed the following line in
/etc/pamd.d/password-auth-ac
to:

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 0 quiet_success

(ie from 'auth requisite pam_succeed_if.so uid >= 1000 quiet_success'. Note I restarted ssh.)
which removed the 'uid 1000' error message from the logs but the 'failed password' message remains in the /var/messages/secure log.
No idea what the problem is

[michael600]

maybe this is a clue?
Using Putty, I can ssh in remotely via a non-root user and then, from the same session:
1. successfully su root
2. but cannot ssh root@127.0.0.1, the message is:

Code: Select all

debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@127.0.0.1's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.

I suppose when 'ssh'ing from within Putty your're using the destination ssh binary, vs su -root you're sending commands from the putty binary?
Or is this something to do with the pam.d rules?

[lightman47]

The preferred method is what you are doing - connect as an ordinary user then change users once successful. This is to keep all the 'bots', etc. from gaining access as root. (See /var/log/secure - root is the most attempted account). After all, the odds of correctly guessing both a username and then it's password are, well ...

.

[michael600]

Have not got an answer re the pam config but have a workaround.

Put the designated non-root user ('username' in the example below) into the sudoers file ie /etc/sudoers. You have to specify the location of the sftp-server binary. You edit /etc/sudoers via the visudo command line editor, as root:

Code: Select all

username ALL=(ALL)	NOPASSWD: /usr/libexec/openssh/sftp-server

ie 'username' can run commands of any user (the first ALL) on any host (if there are more that one pc, on the network ie the second ALL) without a password but ONLY for sftp-server
(refer https://winscp.net/eng/docs/faq_su)

If using winscp as your sftp program, make the following changes
(refer https://forums.cpanel.net/threads/winsc ... udo.334882)
In WinSCP for the session of the particular user:
Environment -> SFTP [Protocol Options] - SFTP server:

Code: Select all

/usr/bin/sudo -s /usr/libexec/openssh/sftp-server

Environment -> SCP/Shell [Shell] - Shell:

Code: Select all

/usr/bin/sudo su