Strange PAM/sudo problem (SLES9)

chort · 04-20-2005, 12:54 PM

I installed SuSE Linux Enterprise Server 9 (RC5) and during the install I choose Blowfish for password hashing. I've had no problem authenticating to "login" or "sshd", but no matter what I do with sudo (yes, my user is in /etc/sudoers) it keeps saying "Sorry, try again".

Contents of /etc/pam.d/sudo (doesn't work) is simply:

Code:

#%PAM-1.0
auth     required       pam_unix2.so

Contents of /etc/pam.d/login (works):

Code:

#%PAM-1.0
auth requisite  pam_unix2.so    nullok     #set_secrpc
auth required   pam_securetty.so
auth required   pam_nologin.so
#auth    required       pam_homecheck.so
auth required   pam_env.so
auth required   pam_mail.so
account required        pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session required        pam_unix2.so    none     # debug or trace
session required        pam_limits.so

Conents of /etc/pam.d/sshd (works):

Code:

#%PAM-1.0
auth required   pam_unix2.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix2.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session required        pam_unix2.so    none     # trace or debug
session required        pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname

And just for good measure, /etc/security/pam_pwcheck.conf:

Code:

password:       cracklib blowfish nullok use_cracklib

/etc/security/pam_unix2.conf:

Code:

auth:
account:
password:       blowfish
session:        none

So why this would work for login & sshd, but not sudo... I have no idea.

chort · 04-20-2005, 02:14 PM

The plot thickens... by using strace I was able to discover that it was looking for the root password, not the user's password. Next I'm going to try using the sudo parameter to change this back to using user password...

chort · 04-20-2005, 02:36 PM

Well I feel like a complete idiot. I had been scrolling down too far in the /etc/sudoers file and completely missed the fact that SuSE adds this by default:

Code:

# Defaults specification
Defaults targetpw    # ask for the password of the target user i.e. root
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

Duuuuuh!

Commenting those two lines out (prefixing each with a '#') fixed the problem. Sigh.

robthky · 01-05-2006, 04:45 PM

mabboud123 · 02-01-2023, 07:20 PM

Thank you for posting this -- bitten by this default behaviour on a SLES 12-SP1 system.

To be honest, had never seen this default on other distros.

Again, thanks!

Michael