How To Disable PAM Authentication for SUDO
Hello again,
So I've just upgraded one of my systems and want to keep the old system around for a little bit in case of some unforseen disaster (missing/corrupt file, program not working, missing config file, etc.). My systems use PAM ldap authentication for logging in via ssh and using sudo. One thing to note: I didn't set this up, I was handed the upgrade half way through and do not have much experience configuring PAM. On the old system, it is no longer necessary to use PAM as the only person logging in would be me with my local account. Also, since I changed it's IP address, it can't actually even get to the ldap server to authenticate due to a firewall rule. I was able to disable SSH PAM ldap authentication (setting 'UsePAM no' in sshd_config), but I can't find out where to stop sudo from using it. This is what it looks like when I try to sudo: Code:
[user@host ~]$ sudo -s I tried commenting out the lines in /etc/pam.d/sudo but that didn't work in a slightly different way: Code:
[user@host ~]$ sudo -s So, sure, I could just run su - to get to root on the old system if needed but now it's bothering me that I can't get it to stop trying to authorize over PAM when I run the sudo -s command. I would like to know how to fix it for my own knowledge. Anyone do this before? Thanks in advance. |
You don't say what distro you are using, but you might find the relevant configuration in /etc/pam.d/sudo
|
If this server isn't supposed to use PAM at all wouldn't the usual starting point be /etc/nsswitch.conf ?
|
The distro is Ubuntu. I've tried to add the following line in /etc/nsswitch.conf :
Code:
sudo : files |
Quote:
|
@#5
I tried commenting out the line in the /etc/pam.d/sudo file. But that didn't work either, as described above. |
AFAIK, if sudo is built with PAM support, it will always use PAM for authentication. The only way I know to turn off the use of PAM is to recompile sudo with the --without-pam option. Changing the nsswitch options won't do anything, they simple determine how user names are looked up.
Your best bet here is to fix your PAM configuration so that it does not try to use LDAP for authentication. This can be done via pam-auth-update(8) on Ubuntu if you don't feel like mucking with the PAM config files directly. But, honestly, you should not be afraid to learn a little something about how PAM works. It's something a lot of admins don't know, but it can come in very, very handy when trying to configure how your box authenticates users. Like you, I avoided learning it for some time, but I've been digging into it a fair bit and it's surprisingly easy to use once you get the hang of it. |
Indeed its important to know that PAM is always used; its the ldap bit that needs removing from the PAM setup.
http://www.enterprisenetworkingplane...-Linux-PAM.htm http://debian.securedservers.com/ker...x-PAM_SAG.html http://aplawrence.com/Basics/understandingpam.html |
All times are GMT -5. The time now is 07:54 PM. |