.

I'm not concerned about my privacy as much as showing the world how to do something they may not know how to do. Its not exactly easy to find. Before I found it, I googled and googled 'terminal not requesting password' and the like to no avail.

The offending file was /etc/pam.d/system-auth which contained the line:

auth sufficient pam_permit.so

As follows:

auth required pam_env.so
auth sufficient pam_permit.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

account sufficient pam_unix.so
account required pam_deny.so

password required pam_cracklib.so try_first_pass retry=3 minlen=0 dcre
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 sha
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so


I wasn't in the office at the time to check but did later and it was okay.

Never heard of those programs and didn't know rpm could do that. Thanks for the tips. Will do.


Absolutely. I may be an ignorant administrator but I'm not so dumb that I don't realize it! I check my logs daily in case I messed up.

Understood, I'm changing to 0400.

I just can't get my head wrapped arount this. I'm running 3 services which would allow a public user access to my system; webmin, sshd and postfix. So they got in to smtpd and they could do what? Relay mail? What else could they possibly do with smtpd access? All my mail users have smtpd access and I dare say in a large system many of those with smtpd access can't be trusted anymore than a stranger to wander around a server. Sshd is running without password access so without an rsa key, all you get is a failed login. With fail2ban, all you get is 3 tries. The webmin log was intact. If I can believe the log, no one got in except me.

Anyway, I'm replacing server2 as we speak because its old and has some hardware issues developing. The new server, server4, will have Mandriva 2010 installed and I will carefully and selectively migrate configurations over one at a time after checking them. Server3, the one with the smtpd break-in, will be next, and I'll do the same.

ROTFL! Nice trick. (BTW, seems pam_succeed_if could be used that way too.) A GNU/Tiger patch for checking this (as these modules shouldn't precede pam_unix or be in the auth section anyway) would be cool.


Over the years I've learned that speculation certainly is an entertaining pastime but most of the time it doesn't lead anywhere practically speaking. I'd rather deal with cold hard evidence and data correlation. Do your any of your MTA users have local accounts? Which users accessed the system itself (checking from the time before the first symptoms appeared)? Have you checked their and root shell history files?


Congrats on your good choice!
* If you would like hardening advice I'd suggest opening a new thread.


Until you're done, if any accounts are shared between systems you might want to give those a wee bit extra TLC?..

look for "nullok" string in any file /etc/pam.d