PAM super no stick....

Support for security such as Firewalls and securing linux
Post Reply
Boyd.ako
Posts: 46
Joined: 2016/06/22 08:49:07
Location: Honolulu, HI
Contact:

PAM super no stick....

Post by Boyd.ako » 2019/07/18 08:52:55

So I'm having an issue with a RHEL thing at work that's going to be a big issue....

In the process of troubleshooting a RHEL IDM/FreeIPA client issue, something apparently happened to what I think is a PAM thing. Apparently, using the console TTY (not the GDM GUI) I can log into the root account and other accounts without getting prompted for a password or anything. If I use the GDM GUI TTY to login I do get prompted for the passwords and what not. The only thing I can imagine is that it has something to do with using `authconfig` because the IPA advise script to enable smartcard login has `authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall`. The only other things is editing the sssd.conf file to change the SSSD certificicate policy to not check OCSP and adding kerberos and p11_child timeouts.

I'm no PAM file guru... But I'm pretty sure I'm missing an "auth require" something or other. I just don't know what.

Below is my PAM files...

Code: Select all

===== /etc/pam.d/config-util =====
#%PAM-1.0
auth		sufficient	pam_rootok.so
auth		sufficient	pam_timestamp.so
auth		include		system-auth
account		required	pam_permit.so
session		required	pam_permit.so
session		optional	pam_xauth.so
session		optional	pam_timestamp.so


===== /etc/pam.d/postlogin-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.


session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     optional      pam_lastlog.so silent noupdate showfailed


===== /etc/pam.d/other =====
#%PAM-1.0
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so


===== /etc/pam.d/smartcard-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent deny=3  fail_interval=900 even_deny_root
auth        sufficient    pam_sss.so allow_missing_name
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        required      pam_faillock.so authfail deny=3  fail_interval=900 even_deny_root
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so


session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so


===== /etc/pam.d/sudo =====
#%PAM-1.0
auth sufficient pam_pkcs11.so

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so


===== /etc/pam.d/kcheckpass =====
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   include	system-auth
session    include	system-auth


===== /etc/pam.d/kscreensaver =====
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   include	system-auth
session    include	system-auth


===== /etc/pam.d/ksu =====
#%PAM-1.0
auth    include  su
account include  su
session include  su


===== /etc/pam.d/passwd =====
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   substack	system-auth
-password   optional	pam_gnome_keyring.so use_authtok
password   substack	postlogin

password	required	pam_pwquality.so retry=3


===== /etc/pam.d/chfn =====
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


===== /etc/pam.d/chsh =====
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


===== /etc/pam.d/login =====
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so


===== /etc/pam.d/remote =====
#%PAM-1.0
auth       required     pam_securetty.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin


===== /etc/pam.d/runuser =====
#%PAM-1.0
auth		sufficient	pam_rootok.so
session		optional	pam_keyinit.so revoke
session		required	pam_limits.so
session		required	pam_unix.so


===== /etc/pam.d/runuser-l =====
#%PAM-1.0
auth		include		runuser
session		optional	pam_keyinit.so force revoke
-session	optional	pam_systemd.so
session		include		runuser


===== /etc/pam.d/su =====
#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		substack	system-auth
auth		include		postlogin
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		include		postlogin
session		optional	pam_xauth.so


===== /etc/pam.d/su-l =====
#%PAM-1.0
auth		include		su
account		include		su
password	include		su
session		optional	pam_keyinit.so force revoke
session		include		su


===== /etc/pam.d/newrole =====
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   include	system-auth
session    required	pam_namespace.so unmnt_remnt no_unmount_on_close


===== /etc/pam.d/systemd-user =====
# This file is part of systemd.
#
# Used by systemd --user instances.

account  include system-auth
session  include system-auth


===== /etc/pam.d/polkit-1 =====
#%PAM-1.0

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


===== /etc/pam.d/xserver =====
#%PAM-1.0
auth       sufficient	pam_rootok.so
auth       required	pam_console.so
account    required	pam_permit.so
session    optional	pam_keyinit.so force revoke


===== /etc/pam.d/crond =====
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth


===== /etc/pam.d/ppp =====
#%PAM-1.0
auth       include	password-auth
account    required	pam_nologin.so
account    include	password-auth
session    include	password-auth


===== /etc/pam.d/cups =====
#%PAM-1.0
# Use password-auth common PAM configuration for the daemon
auth        include     password-auth
account     include     password-auth


===== /etc/pam.d/rhn_register =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/subscription-manager =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/pluto =====
#%PAM-1.0
# Regular System auth
auth include system-auth
#
# Google Authenticator with Regular System auth in combined prompt mode
# (OTP is added to the password at the password prompt without separator)
# auth required pam_google_authenticator.so forward_pass
# auth include system-auth use_first_pass
#
# Common
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so


===== /etc/pam.d/vmtoolsd =====
#%PAM-1.0
auth       required         pam_shells.so
auth       sufficient       pam_unix.so shadow
auth       required         pam_unix_auth.so shadow
account    required         pam_shells.so
account    sufficient       pam_unix.so
account    required         pam_unix_acct.so


===== /etc/pam.d/sssd-shadowutils =====
#%PAM-1.0
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     required      pam_permit.so


===== /etc/pam.d/gdm-autologin =====
#%PAM-1.0
auth       required    pam_env.so
auth       required    pam_permit.so
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
session    include     postlogin


===== /etc/pam.d/gdm-fingerprint =====
auth        substack      fingerprint-auth
auth        include       postlogin

account     required      pam_nologin.so
account     include       fingerprint-auth

password    include       fingerprint-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       fingerprint-auth
session     include       postlogin


===== /etc/pam.d/gdm-launch-environment =====
#%PAM-1.0
auth       required    pam_env.so
auth       required    pam_permit.so
auth       include     postlogin
account    required    pam_permit.so
password   required    pam_permit.so
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    include     postlogin


===== /etc/pam.d/gdm-password =====
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so
auth        include       postlogin

account     required      pam_nologin.so
account     include       password-auth

password    substack       password-auth
-password   optional       pam_gnome_keyring.so use_authtok

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
session     optional      pam_gnome_keyring.so auto_start
session     include       postlogin


===== /etc/pam.d/gdm-pin =====
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        requisite     pam_pin.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so
auth        include       postlogin

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth
password    optional      pam_pin.so

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
session     optional      pam_gnome_keyring.so auto_start
session     include       postlogin


===== /etc/pam.d/gdm-smartcard =====
auth        substack      smartcard-auth
auth        include       postlogin

account     required      pam_nologin.so
account     include       smartcard-auth

password    include       smartcard-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       smartcard-auth
session     include       postlogin


===== /etc/pam.d/subscription-manager-gui =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/vlock =====
#%PAM-1.0
auth       include      system-auth
account    required     pam_permit.so


===== /etc/pam.d/liveinst =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/authconfig =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/authconfig-gtk =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/authconfig-tui =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/system-config-authentication =====
#%PAM-1.0
auth		include		config-util
account		include		config-util
session		include		config-util


===== /etc/pam.d/smtp.postfix =====
#%PAM-1.0
auth       include	password-auth
account    include	password-auth


===== /etc/pam.d/sshd =====
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


===== /etc/pam.d/atd =====
# The PAM configuration file for the at daemon
#
#
auth       required    pam_env.so
auth       include     password-auth
account    required    pam_access.so
account    include     password-auth
session    required    pam_loginuid.so
session    include     password-auth


===== /etc/pam.d/setup =====
#%PAM-1.0
auth       sufficient	pam_rootok.so
auth       include	system-auth
account    required	pam_permit.so
session	   required	pam_permit.so


===== /etc/pam.d/screen =====
#%PAM-1.0
auth	include		system-auth


===== /etc/pam.d/sudo-i =====
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so
session    include      sudo


===== /etc/pam.d/system-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=3  fail_interval=900 even_deny_root
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_faillock.so authfail deny=3  fail_interval=900 even_deny_root
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so


===== /etc/pam.d/password-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=3  fail_interval=900 even_deny_root
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_krb5.so use_authtok

auth        required      pam_faillock.so authfail deny=3  fail_interval=900 even_deny_root

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so


===== /etc/pam.d/fingerprint-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent deny=3  fail_interval=900 even_deny_root
auth        sufficient    pam_fprintd.so
auth        required      pam_faillock.so authfail deny=3  fail_interval=900 even_deny_root
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so


===== /etc/pam.d/scc_root =====
# PAM configuration to run SCAP Compliance Checker as 'root'

auth            include         config-util
account         include         config-util
session         include         config-util


===== /etc/pam.d/nails =====
#%PAM-1.0
auth       substack     system-auth
auth       include      postlogin


===== /etc/pam.d/sudo.rpmnew =====
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

My noob level: LPIC-2, Sec+ CE, Linux+
https://boydhanaleiako.me

Post Reply