How To Disable PAM Authentication for SUDO

YankeePride13 · 03-13-2013, 08:29 AM

Hello again,

So I've just upgraded one of my systems and want to keep the old system around for a little bit in case of some unforseen disaster (missing/corrupt file, program not working, missing config file, etc.). My systems use PAM ldap authentication for logging in via ssh and using sudo.

One thing to note: I didn't set this up, I was handed the upgrade half way through and do not have much experience configuring PAM.

On the old system, it is no longer necessary to use PAM as the only person logging in would be me with my local account. Also, since I changed it's IP address, it can't actually even get to the ldap server to authenticate due to a firewall rule. I was able to disable SSH PAM ldap authentication (setting 'UsePAM no' in sshd_config), but I can't find out where to stop sudo from using it.

This is what it looks like when I try to sudo:

Code:

[user@host ~]$ sudo -s
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
sudo: 2 incorrect password attempt

In between each password attempt, it hangs for 30 seconds (trying to contact the ldap server and can't).

I tried commenting out the lines in /etc/pam.d/sudo but that didn't work in a slightly different way:

Code:

[user@host ~]$ sudo -s
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

As you can see, this time it didn't even prompt me for a password. As soon as I hit enter on the sudo -s command the output came to the screen without delay.

So, sure, I could just run su - to get to root on the old system if needed but now it's bothering me that I can't get it to stop trying to authorize over PAM when I run the sudo -s command. I would like to know how to fix it for my own knowledge.

Anyone do this before? Thanks in advance.

TenTenths · 03-13-2013, 08:34 AM

You don't say what distro you are using, but you might find the relevant configuration in /etc/pam.d/sudo

linosaurusroot · 03-13-2013, 08:45 AM

If this server isn't supposed to use PAM at all wouldn't the usual starting point be /etc/nsswitch.conf ?

YankeePride13 · 03-13-2013, 08:49 AM

The distro is Ubuntu. I've tried to add the following line in /etc/nsswitch.conf :

Code:

sudo : files

But that too did not have an effect.

TenTenths · 03-13-2013, 08:50 AM

Quote:

Originally Posted by linosaurusroot

If this server isn't supposed to use PAM at all wouldn't the usual starting point be /etc/nsswitch.conf ?

From what I read, I took it that the OP has only turned PAM off in the sshd config, hence pointing them in the direction of /etc/pam.d

YankeePride13 · 03-13-2013, 08:52 AM

@#5

I tried commenting out the line in the /etc/pam.d/sudo file. But that didn't work either, as described above.

btmiller · 03-13-2013, 09:41 PM

AFAIK, if sudo is built with PAM support, it will always use PAM for authentication. The only way I know to turn off the use of PAM is to recompile sudo with the --without-pam option. Changing the nsswitch options won't do anything, they simple determine how user names are looked up.

Your best bet here is to fix your PAM configuration so that it does not try to use LDAP for authentication. This can be done via pam-auth-update(8) on Ubuntu if you don't feel like mucking with the PAM config files directly. But, honestly, you should not be afraid to learn a little something about how PAM works. It's something a lot of admins don't know, but it can come in very, very handy when trying to configure how your box authenticates users. Like you, I avoided learning it for some time, but I've been digging into it a fair bit and it's surprisingly easy to use once you get the hang of it.

chrism01 · 03-14-2013, 12:35 AM

Indeed its important to know that PAM is always used; its the ldap bit that needs removing from the PAM setup.
http://www.enterprisenetworkingplane...-Linux-PAM.htm
http://debian.securedservers.com/ker...x-PAM_SAG.html
http://aplawrence.com/Basics/understandingpam.html