Able to Locally Login as Root with ANY password??

ECRocker · 01-26-2010, 11:02 AM

From logs:

Code:

Jan 26 12:04:51 JokerFish login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty3 ruser= rhost=  user=root
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: configured realm 'CHESAPEAKEBAY.NET'
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flags: forwardable
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no ignore_afs
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: user_check
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no krb4_convert
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: krb4_convert_524
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: krb4_use_as_req
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: will try previously set password first
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: will let libkrb5 ask questions
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no use_shmem
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no external
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: warn
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ticket lifetime: 36000
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: renewable lifetime: 36000
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: minimum uid: 600
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: banner: Kerberos 5
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ccache dir: /tmp
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: keytab: FILE:/etc/krb5.keytab
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: called to authenticate 'root', realm 'CHESAPEAKEBAY.NET'
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: authenticating 'root@CHESAPEAKEBAY.NET'
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ignoring 'root' -- uid below minimum = 600
Jan 26 12:04:51 JokerFish login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: configured realm 'CHESAPEAKEBAY.NET'
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flags: forwardable
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no ignore_afs
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: user_check
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no krb4_convert
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: krb4_convert_524
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: krb4_use_as_req
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: will try previously set password first
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: will let libkrb5 ask questions
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no use_shmem
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: no external
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: flag: warn
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ticket lifetime: 36000
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: renewable lifetime: 36000
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: minimum uid: 600
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: banner: Kerberos 5
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ccache dir: /tmp
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: keytab: FILE:/etc/krb5.keytab
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: ignoring 'root' -- uid below minimum = 600
Jan 26 12:04:51 JokerFish login: pam_krb5[2528]: pam_open_session returning 25 (The return value should be ignored by PAM dispatch)
Jan 26 12:04:51 JokerFish login: ROOT LOGIN ON tty3

ECRocker · 01-27-2010, 04:45 PM

Found it.

Code:

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

at the top of my /etc/pam.d/login file. This line caused all local users logging in at the console to be allowed access regardless what was in the system-auth file.

I ran into some issues after I commented that line out, but they aren't of any concern to this discussion.

Not too sure what those options mean, but it appears that it checks the securetty file, which lists the console, thus returns a "success" and fulfills the authentication requirements. I'm assuming (and will try to research it more tomorrow) that the "user_unknown=ignore" argument is why non-local users had to have a valid password because their Active Directory account was not known to the stack at this stage.