LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-02-2018, 05:28 AM   #1
r34per
LQ Newbie
 
Registered: Nov 2017
Posts: 6

Rep: Reputation: Disabled
pam_sss reporting false positives to /var/log/secure - PLEASE HELP!!!


Hi All,

I am wondering if anyone can help...well i'm hoping someone can

I currently have an issue where the pam_sss file is reporting false positives to /var/log/secure. The user1 account is a local account and as such is able to log in fine however the pam_sss tries to authenticate the account even though I have set the 'quiet', 'ignore_unknown_user' and told pam_succeed_if.so to ignore users with uid's over 500.

So far I have tried to following:

changing the flags to quiet and ignore_unknown_user
changing the stacking order

Nothing I have tried has stopped pam_sss from reporting false positives to the secure log. What am i doing wrong? Can anyone help???

I am currently on RHEL 7

The alert from the secure log:
Code:
server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1
My pam_informix file:
Code:
auth        sufficient    pam_rhosts.so silent
auth        sufficient    pam_sss.so quiet
auth        required      pam_unix.so
account     required      pam_oddjob_mkhomedir.so
account     sufficient    pam_permit.so
My system-auth-ac file:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
My password-auth-ac file:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Any help will be greatly appreciated!!!
 
Old 08-02-2018, 10:05 PM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,629

Rep: Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204
Open a ticket with RedHat support?
 
Old 08-07-2018, 01:14 AM   #3
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 423

Rep: Reputation: Disabled
server1 oninit: pam_sss(pam_informix:auth): authentication failure; logname= uid=12000 euid=0 tty= ruser=user1 rhost=hostserver1 user=user1

-------------------------------

i'm rusty on pam and haven't used rehat in a while (though i like it). pam is modular. you can disable security altogether if you use the right settings, login with no password

my best guess: if you want, just create a new user (guest user) and use passwd(1) to set that no password is required (instead of having a user where password is required and trying to disable reporting on it)


did you get logged in? you didn't say but indicated "yes". if your logged in your issue might be "logging level" or "debug level". that is: pam might be reporting it all the time even though it allowed it as a security precaution, and that if you reduce the "logging level" you won't see the message.


also (in old pam anyway) there is more than one config directory to worry about (/etc/login.defs /etc/pam/, /etc/securetty /etc/security) the second is for pam settings of device permissions, and perhaps a few more in /etc somewhere related to older unix file (like /etc/login.defs login is edited to support pam login - possibly "exclusively").

you have to identify the "entry point" of pam config files (1st read file), modules (very first module read), exit point (when pam believes no more modules need be tried). you have to make sure you know what each modules does. the pam .conf files are read for this kind of login: meaning the entry point depends on how pam is started (ie, for cron auth or sessoin? for what?). if you can't, you have to disable passwords/auth in all of pam by using only the dummy module: which you don't want to do.

i'd have to run man(1) pages on your system to see what pam file is read first, and manpage upon what modules are for/do.

i have no idea if your trying to log in as root or a normal user, remotely or locally, on a console or terminal.

i don't even know if your trying to disable password for an account or some other objective.

i do re-suggest you consider creating a user for each purpose if not for each app you run (that is not supposed to share memory). and remind that it's simple as pie when creating a user to choose that the user doesn't need a password

(you then want to go in /etc/securetty and limit this user to console so you don't get remote logins)

Last edited by X-LFS-2010; 08-07-2018 at 11:38 PM.
 
Old 08-07-2018, 11:46 PM   #4
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 423

Rep: Reputation: Disabled
that's all "the old way to do it"

i'm unsure with your linux if you want to be editing your pam files that way. you may want to use your desktop tools. i have no idea if you have an active directory (NIS, LDAP) enabled and should be using it.

if i want to change the world on how passwords work on an apple: i'm going into settings->sharing->properties and using a property sheet editor to edit NIS settings - and pam is in there somewheres, and there's more settings than i can shake a stick at. apple releases directions on how to do about anything users usually want.

here's the rundown i just described:

https://support.apple.com/en-us/HT204012
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
maldet and possible false positives? Zeno McDohl Linux - Security 1 07-28-2013 05:17 PM
snort false positives baronobeefdip Linux - Security 5 02-23-2013 11:46 AM
[SOLVED] According to /var/log/messages the OS was always idle but I know this to be false. stf92 Slackware 4 06-21-2011 04:22 AM
Rkhunter false positives? Amdx2_x64 Linux - Security 2 10-25-2010 05:19 PM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 04:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration