In the process of troubleshooting a RHEL IDM/FreeIPA client issue, something apparently happened to what I think is a PAM thing. Apparently, using the console TTY (not the GDM GUI) I can log into the root account and other accounts without getting prompted for a password or anything. If I use the GDM GUI TTY to login I do get prompted for the passwords and what not. The only thing I can imagine is that it has something to do with using `authconfig` because the IPA advise script to enable smartcard login has `authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall`. The only other things is editing the sssd.conf file to change the SSSD certificicate policy to not check OCSP and adding kerberos and p11_child timeouts.
I'm no PAM file guru... But I'm pretty sure I'm missing an "auth require" something or other. I just don't know what.
Below is my PAM files...
Code: Select all
===== /etc/pam.d/config-util =====
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
===== /etc/pam.d/postlogin-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
===== /etc/pam.d/other =====
#%PAM-1.0
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so
===== /etc/pam.d/smartcard-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root
auth sufficient pam_sss.so allow_missing_name
auth optional pam_krb5.so use_first_pass no_subsequent_prompt
auth sufficient pam_permit.so
auth required pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
===== /etc/pam.d/sudo =====
#%PAM-1.0
auth sufficient pam_pkcs11.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
===== /etc/pam.d/kcheckpass =====
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
===== /etc/pam.d/kscreensaver =====
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
===== /etc/pam.d/ksu =====
#%PAM-1.0
auth include su
account include su
session include su
===== /etc/pam.d/passwd =====
#%PAM-1.0
auth include system-auth
account include system-auth
password substack system-auth
-password optional pam_gnome_keyring.so use_authtok
password substack postlogin
password required pam_pwquality.so retry=3
===== /etc/pam.d/chfn =====
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
===== /etc/pam.d/chsh =====
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
===== /etc/pam.d/login =====
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
===== /etc/pam.d/remote =====
#%PAM-1.0
auth required pam_securetty.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
===== /etc/pam.d/runuser =====
#%PAM-1.0
auth sufficient pam_rootok.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
===== /etc/pam.d/runuser-l =====
#%PAM-1.0
auth include runuser
session optional pam_keyinit.so force revoke
-session optional pam_systemd.so
session include runuser
===== /etc/pam.d/su =====
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
===== /etc/pam.d/su-l =====
#%PAM-1.0
auth include su
account include su
password include su
session optional pam_keyinit.so force revoke
session include su
===== /etc/pam.d/newrole =====
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session required pam_namespace.so unmnt_remnt no_unmount_on_close
===== /etc/pam.d/systemd-user =====
# This file is part of systemd.
#
# Used by systemd --user instances.
account include system-auth
session include system-auth
===== /etc/pam.d/polkit-1 =====
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
===== /etc/pam.d/xserver =====
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
account required pam_permit.so
session optional pam_keyinit.so force revoke
===== /etc/pam.d/crond =====
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
===== /etc/pam.d/ppp =====
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
session include password-auth
===== /etc/pam.d/cups =====
#%PAM-1.0
# Use password-auth common PAM configuration for the daemon
auth include password-auth
account include password-auth
===== /etc/pam.d/rhn_register =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/subscription-manager =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/pluto =====
#%PAM-1.0
# Regular System auth
auth include system-auth
#
# Google Authenticator with Regular System auth in combined prompt mode
# (OTP is added to the password at the password prompt without separator)
# auth required pam_google_authenticator.so forward_pass
# auth include system-auth use_first_pass
#
# Common
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
===== /etc/pam.d/vmtoolsd =====
#%PAM-1.0
auth required pam_shells.so
auth sufficient pam_unix.so shadow
auth required pam_unix_auth.so shadow
account required pam_shells.so
account sufficient pam_unix.so
account required pam_unix_acct.so
===== /etc/pam.d/sssd-shadowutils =====
#%PAM-1.0
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth required pam_deny.so
account required pam_unix.so
account required pam_permit.so
===== /etc/pam.d/gdm-autologin =====
#%PAM-1.0
auth required pam_env.so
auth required pam_permit.so
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include system-auth
session include postlogin
===== /etc/pam.d/gdm-fingerprint =====
auth substack fingerprint-auth
auth include postlogin
account required pam_nologin.so
account include fingerprint-auth
password include fingerprint-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include fingerprint-auth
session include postlogin
===== /etc/pam.d/gdm-launch-environment =====
#%PAM-1.0
auth required pam_env.so
auth required pam_permit.so
auth include postlogin
account required pam_permit.so
password required pam_permit.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
===== /etc/pam.d/gdm-password =====
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
===== /etc/pam.d/gdm-pin =====
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth requisite pam_pin.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
password optional pam_pin.so
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
===== /etc/pam.d/gdm-smartcard =====
auth substack smartcard-auth
auth include postlogin
account required pam_nologin.so
account include smartcard-auth
password include smartcard-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include smartcard-auth
session include postlogin
===== /etc/pam.d/subscription-manager-gui =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/vlock =====
#%PAM-1.0
auth include system-auth
account required pam_permit.so
===== /etc/pam.d/liveinst =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/authconfig =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/authconfig-gtk =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/authconfig-tui =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/system-config-authentication =====
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/smtp.postfix =====
#%PAM-1.0
auth include password-auth
account include password-auth
===== /etc/pam.d/sshd =====
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
===== /etc/pam.d/atd =====
# The PAM configuration file for the at daemon
#
#
auth required pam_env.so
auth include password-auth
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
===== /etc/pam.d/setup =====
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
===== /etc/pam.d/screen =====
#%PAM-1.0
auth include system-auth
===== /etc/pam.d/sudo-i =====
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
session include sudo
===== /etc/pam.d/system-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root
auth optional pam_krb5.so use_first_pass no_subsequent_prompt
auth sufficient pam_permit.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
===== /etc/pam.d/password-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_krb5.so use_authtok
auth required pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
===== /etc/pam.d/fingerprint-auth-ac =====
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root
auth sufficient pam_fprintd.so
auth required pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_krb5.so
===== /etc/pam.d/scc_root =====
# PAM configuration to run SCAP Compliance Checker as 'root'
auth include config-util
account include config-util
session include config-util
===== /etc/pam.d/nails =====
#%PAM-1.0
auth substack system-auth
auth include postlogin
===== /etc/pam.d/sudo.rpmnew =====
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth