Auth failure with uid >= 1000 on fc18
Gordon Messmer
yinyang at eburg.com
Tue Mar 19 18:15:16 UTC 2013
On 03/19/2013 08:55 AM, Alex wrote:
> It appears that you're saying ssh as root would fail because of the
> UID >=1000 and pam_deny
PAM is complex.
If the password is successful against pam_unix, processing stops. For
any user that successfully authenticates with pam_unix, none of the
remaining items are processed.
The system's behavior is different for users with uid < 1000 and users
with uid >= 1000. For uids < 1000, it is pam_succeed_if which stops the
processing of PAM and causes the authentication to fail. Again, that
only applies when authentication to pam_unix has already failed.
For users with uid >= 1000, pam_unix can fail, and processing will
continue. If sss is configured for LDAP or KRB5 authentication, for
instance, pam_unix can fail because passwords aren't in the unix
password files. Processing continues past pam_unix, past
pam_succeed_if, and on to pam_sss. If authentication to pam_sss
succeeds, then processing stops. If pam_sss also fails, then pam_deny
is used to stop processing and indicate an authentication failure.
> , but it works on my system, yet still gives
> that error (sometimes). Can I ask you to clarify how it relates to
> remote root access?
If you see a message from pam_succeed_if in your logs, you'll find that
it directly follows an error indicating that pam_unix authentication
failed. That message appears as one of several messages that are logged
when "root" fails password authentication.
> Somehow remote ssh root access works on my system, so I don't
> understand which pam module would be denying access?
pam_succeeed_if denies access IF password authentication failed.
> Also, why are the UIDs hardcoded in pam.d files when there is
> /etc/login.defs? How does that file apply to this?
Also complex:
https://fedoraproject.org/wiki/Features/1000SystemAccounts
More information about the users
mailing list