LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-13-2013, 08:29 AM   #1
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 209

Rep: Reputation: 48
How To Disable PAM Authentication for SUDO


Hello again,

So I've just upgraded one of my systems and want to keep the old system around for a little bit in case of some unforseen disaster (missing/corrupt file, program not working, missing config file, etc.). My systems use PAM ldap authentication for logging in via ssh and using sudo.

One thing to note: I didn't set this up, I was handed the upgrade half way through and do not have much experience configuring PAM.

On the old system, it is no longer necessary to use PAM as the only person logging in would be me with my local account. Also, since I changed it's IP address, it can't actually even get to the ldap server to authenticate due to a firewall rule. I was able to disable SSH PAM ldap authentication (setting 'UsePAM no' in sshd_config), but I can't find out where to stop sudo from using it.

This is what it looks like when I try to sudo:

Code:
[user@host ~]$ sudo -s
Password:
Sorry, try again.
Password:
Sorry, try again.
Password:
sudo: 2 incorrect password attempt
In between each password attempt, it hangs for 30 seconds (trying to contact the ldap server and can't).

I tried commenting out the lines in /etc/pam.d/sudo but that didn't work in a slightly different way:

Code:
[user@host ~]$ sudo -s
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
As you can see, this time it didn't even prompt me for a password. As soon as I hit enter on the sudo -s command the output came to the screen without delay.

So, sure, I could just run su - to get to root on the old system if needed but now it's bothering me that I can't get it to stop trying to authorize over PAM when I run the sudo -s command. I would like to know how to fix it for my own knowledge.

Anyone do this before? Thanks in advance.
 
Old 03-13-2013, 08:34 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,449

Rep: Reputation: 438Reputation: 438Reputation: 438Reputation: 438Reputation: 438
You don't say what distro you are using, but you might find the relevant configuration in /etc/pam.d/sudo
 
Old 03-13-2013, 08:45 AM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 761
Blog Entries: 2

Rep: Reputation: 197Reputation: 197
If this server isn't supposed to use PAM at all wouldn't the usual starting point be /etc/nsswitch.conf ?
 
Old 03-13-2013, 08:49 AM   #4
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 209

Original Poster
Rep: Reputation: 48
The distro is Ubuntu. I've tried to add the following line in /etc/nsswitch.conf :

Code:
sudo : files
But that too did not have an effect.
 
Old 03-13-2013, 08:50 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,449

Rep: Reputation: 438Reputation: 438Reputation: 438Reputation: 438Reputation: 438
Quote:
Originally Posted by linosaurusroot View Post
If this server isn't supposed to use PAM at all wouldn't the usual starting point be /etc/nsswitch.conf ?
From what I read, I took it that the OP has only turned PAM off in the sshd config, hence pointing them in the direction of /etc/pam.d
 
Old 03-13-2013, 08:52 AM   #6
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 209

Original Poster
Rep: Reputation: 48
@#5

I tried commenting out the line in the /etc/pam.d/sudo file. But that didn't work either, as described above.
 
Old 03-13-2013, 09:41 PM   #7
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,082

Rep: Reputation: 299Reputation: 299Reputation: 299
AFAIK, if sudo is built with PAM support, it will always use PAM for authentication. The only way I know to turn off the use of PAM is to recompile sudo with the --without-pam option. Changing the nsswitch options won't do anything, they simple determine how user names are looked up.

Your best bet here is to fix your PAM configuration so that it does not try to use LDAP for authentication. This can be done via pam-auth-update(8) on Ubuntu if you don't feel like mucking with the PAM config files directly. But, honestly, you should not be afraid to learn a little something about how PAM works. It's something a lot of admins don't know, but it can come in very, very handy when trying to configure how your box authenticates users. Like you, I avoided learning it for some time, but I've been digging into it a fair bit and it's surprisingly easy to use once you get the hang of it.
 
Old 03-14-2013, 12:35 AM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
Indeed its important to know that PAM is always used; its the ldap bit that needs removing from the PAM setup.
http://www.enterprisenetworkingplane...-Linux-PAM.htm
http://debian.securedservers.com/ker...x-PAM_SAG.html
http://aplawrence.com/Basics/understandingpam.html
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about pam.d and sudo authentication SebbJ Linux - Software 3 07-09-2012 08:14 PM
PAM SU SUDO again Linux_Kidd Linux - Security 12 05-09-2012 09:32 AM
Authentication Issue su/sudo/pam Debian AusFreak Linux - Newbie 3 03-22-2010 08:21 AM
Running sudo with pam.d vwvr9 Linux - Security 2 05-05-2008 10:19 PM
Strange PAM/sudo problem (SLES9) chort Suse/Novell 3 01-05-2006 04:45 PM


All times are GMT -5. The time now is 10:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration