LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   pam_sss reporting false positives to /var/log/secure - PLEASE HELP!!! (https://www.linuxquestions.org/questions/linux-newbie-8/pam_sss-reporting-false-positives-to-var-log-secure-please-help-4175635507/)

r34per 08-02-2018 05:28 AM

pam_sss reporting false positives to /var/log/secure - PLEASE HELP!!!
 
Hi All,

I am wondering if anyone can help...well i'm hoping someone can :)

I currently have an issue where the pam_sss file is reporting false positives to /var/log/secure. The user1 account is a local account and as such is able to log in fine however the pam_sss tries to authenticate the account even though I have set the 'quiet', 'ignore_unknown_user' and told pam_succeed_if.so to ignore users with uid's over 500.

So far I have tried to following:

changing the flags to quiet and ignore_unknown_user
changing the stacking order

Nothing I have tried has stopped pam_sss from reporting false positives to the secure log. What am i doing wrong? Can anyone help???

I am currently on RHEL 7

The alert from the secure log:
Code:

server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1
My pam_informix file:
Code:

auth        sufficient    pam_rhosts.so silent
auth        sufficient    pam_sss.so quiet
auth        required      pam_unix.so
account    required      pam_oddjob_mkhomedir.so
account    sufficient    pam_permit.so

My system-auth-ac file:
Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account    required      pam_unix.so broken_shadow
account    sufficient    pam_localuser.so
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required      pam_permit.so

password    requisite    pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    optional      pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so
session    optional      pam_sss.so

My password-auth-ac file:
Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account    required      pam_unix.so broken_shadow
account    sufficient    pam_localuser.so
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required      pam_permit.so

password    requisite    pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    optional      pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so
session    optional      pam_sss.so

Any help will be greatly appreciated!!!

scasey 08-02-2018 10:05 PM

Open a ticket with RedHat support?

X-LFS-2010 08-07-2018 01:14 AM

server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1

-------------------------------

i'm rusty on pam and haven't used rehat in a while (though i like it). pam is modular. you can disable security altogether if you use the right settings, login with no password

my best guess: if you want, just create a new user (guest user) and use passwd(1) to set that no password is required (instead of having a user where password is required and trying to disable reporting on it)


did you get logged in? you didn't say but indicated "yes". if your logged in your issue might be "logging level" or "debug level". that is: pam might be reporting it all the time even though it allowed it as a security precaution, and that if you reduce the "logging level" you won't see the message.


also (in old pam anyway) there is more than one config directory to worry about (/etc/login.defs /etc/pam/, /etc/securetty /etc/security) the second is for pam settings of device permissions, and perhaps a few more in /etc somewhere related to older unix file (like /etc/login.defs login is edited to support pam login - possibly "exclusively").

you have to identify the "entry point" of pam config files (1st read file), modules (very first module read), exit point (when pam believes no more modules need be tried). you have to make sure you know what each modules does. the pam .conf files are read for this kind of login: meaning the entry point depends on how pam is started (ie, for cron auth or sessoin? for what?). if you can't, you have to disable passwords/auth in all of pam by using only the dummy module: which you don't want to do.

i'd have to run man(1) pages on your system to see what pam file is read first, and manpage upon what modules are for/do.

i have no idea if your trying to log in as root or a normal user, remotely or locally, on a console or terminal.

i don't even know if your trying to disable password for an account or some other objective.

i do re-suggest you consider creating a user for each purpose if not for each app you run (that is not supposed to share memory). and remind that it's simple as pie when creating a user to choose that the user doesn't need a password

(you then want to go in /etc/securetty and limit this user to console so you don't get remote logins)

X-LFS-2010 08-07-2018 11:46 PM

that's all "the old way to do it"

i'm unsure with your linux if you want to be editing your pam files that way. you may want to use your desktop tools. i have no idea if you have an active directory (NIS, LDAP) enabled and should be using it.

if i want to change the world on how passwords work on an apple: i'm going into settings->sharing->properties and using a property sheet editor to edit NIS settings - and pam is in there somewheres, and there's more settings than i can shake a stick at. apple releases directions on how to do about anything users usually want.

here's the rundown i just described:

https://support.apple.com/en-us/HT204012


All times are GMT -5. The time now is 04:19 AM.