Hi all,
I am trying to ssh into my fc18 server as root and have the following message in syslog:
Mar 18 18:29:20 bwipropnew sshd[12473]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
I see this is defined in /etc/login.defs as well as various files in /etc/pam.d/. I know I'm not supposed to ssh as root, but I've configured sshd_config to only allow it from specific IPs and only with a key.
I'm just more curious why this error message is being produced? How does the system discern a system user from a regular user, other than by its UID being greater than 1000? It appears to only be a warning according to the pam.d files:
# grep 1000 password* password-auth:auth requisite pam_succeed_if.so uid >= 1000 quiet_success password-auth:account sufficient pam_succeed_if.so uid < 1000 quiet password-auth-ac:auth requisite pam_succeed_if.so uid >= 1000 quiet_success password-auth-ac:account sufficient pam_succeed_if.so uid < 1000 quiet
It seems sometimes I receive this error/warning while other times I don't, so I'm really not sure what affect this is having.
Is this part of the sssd security system? Where can I find more information about how this all works? Is this indeed only a warning at this point?
Thanks, Alex
On 03/18/2013 07:02 PM, Alex wrote:
I am trying to ssh into my fc18 server as root and have the following message in syslog:
Mar 18 18:29:20 bwipropnew sshd[12473]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
You'll see that after an auth failure for any account with uid < 1000: Mar 18 23:11:47 vagabond unix_chkpwd[6076]: password check failed for user (root) Mar 18 23:11:47 vagabond sshd[6073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root Mar 18 23:11:47 vagabond sshd[6073]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Mar 18 23:11:50 vagabond sshd[6073]: Failed password for root from ::1 port 51784 ssh2
The standard config looks like this:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
pam_env sets or unsets environment variables and succeeds.
pam_unix will process the password provided. If the password is correct, this list will stop processing. If not...
pam_succeed_if will succeed for user accounts and then pass to pam_deny, which causes the authentication attempt to fail.
pam_succeed_if will fail immediately for system accounts, without using pam_deny.
If you're using LDAP or KRB5 authentication, it will appear in between those two lines. That authentication module (pam_sss normally) will be usable by users with uid >= 1000, but not by system user accounts.
Hi,
I am trying to ssh into my fc18 server as root and have the following message in syslog:
Mar 18 18:29:20 bwipropnew sshd[12473]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
You'll see that after an auth failure for any account with uid < 1000: Mar 18 23:11:47 vagabond unix_chkpwd[6076]: password check failed for user (root) Mar 18 23:11:47 vagabond sshd[6073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root Mar 18 23:11:47 vagabond sshd[6073]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Mar 18 23:11:50 vagabond sshd[6073]: Failed password for root from ::1 port 51784 ssh2
The standard config looks like this:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
pam_env sets or unsets environment variables and succeeds.
pam_unix will process the password provided. If the password is correct, this list will stop processing. If not...
pam_succeed_if will succeed for user accounts and then pass to pam_deny, which causes the authentication attempt to fail.
pam_succeed_if will fail immediately for system accounts, without using pam_deny.
If you're using LDAP or KRB5 authentication, it will appear in between those two lines. That authentication module (pam_sss normally) will be usable by users with uid >= 1000, but not by system user accounts.
It appears that you're saying ssh as root would fail because of the UID >=1000 and pam_deny, but it works on my system, yet still gives that error (sometimes). Can I ask you to clarify how it relates to remote root access?
Somehow remote ssh root access works on my system, so I don't understand which pam module would be denying access?
Also, why are the UIDs hardcoded in pam.d files when there is /etc/login.defs? How does that file apply to this?
Thanks, Alex
On 03/19/2013 08:55 AM, Alex wrote:
It appears that you're saying ssh as root would fail because of the UID >=1000 and pam_deny
PAM is complex.
If the password is successful against pam_unix, processing stops. For any user that successfully authenticates with pam_unix, none of the remaining items are processed.
The system's behavior is different for users with uid < 1000 and users with uid >= 1000. For uids < 1000, it is pam_succeed_if which stops the processing of PAM and causes the authentication to fail. Again, that only applies when authentication to pam_unix has already failed.
For users with uid >= 1000, pam_unix can fail, and processing will continue. If sss is configured for LDAP or KRB5 authentication, for instance, pam_unix can fail because passwords aren't in the unix password files. Processing continues past pam_unix, past pam_succeed_if, and on to pam_sss. If authentication to pam_sss succeeds, then processing stops. If pam_sss also fails, then pam_deny is used to stop processing and indicate an authentication failure.
, but it works on my system, yet still gives that error (sometimes). Can I ask you to clarify how it relates to remote root access?
If you see a message from pam_succeed_if in your logs, you'll find that it directly follows an error indicating that pam_unix authentication failed. That message appears as one of several messages that are logged when "root" fails password authentication.
Somehow remote ssh root access works on my system, so I don't understand which pam module would be denying access?
pam_succeeed_if denies access IF password authentication failed.
Also, why are the UIDs hardcoded in pam.d files when there is /etc/login.defs? How does that file apply to this?
Also complex: https://fedoraproject.org/wiki/Features/1000SystemAccounts
Hi,
It appears that you're saying ssh as root would fail because of the UID >=1000 and pam_deny
PAM is complex.
It sure is. How did you become so proficient with it? It's been around forever, but has never been very well documented. Do you use it regularly?
Thanks for the great explanation. Alex
On 03/19/2013 01:46 PM, Alex wrote:
It sure is. How did you become so proficient with it?
I've been using LDAP and to some lesser extend KRB5 for a long-ish time. I've done my share of troubleshooting authentication issues during that time.
It's been around forever, but has never been very well documented. Do you use it regularly?
The man page for pam.conf actually has a good explanation of exactly what the first column in the pam.conf files mean. It can take a little bit of time to understand. On a certain level, it's similar to iptables. Once you can think about a stack of sequences, both of those should make sense. :)
Thanks for the great explanation.
You're welcome. I'm glad it helped.
-
Alex -
Gordon Messmer