Auth failure with uid >= 1000 on fc18

[Gordon Messmer]

On 03/19/2013 08:55 AM, Alex wrote:
> It appears that you're saying ssh as root would fail because of the
> UID >=1000 and pam_deny

PAM is complex.

If the password is successful against pam_unix, processing stops.  For 
any user that successfully authenticates with pam_unix, none of the 
remaining items are processed.

The system's behavior is different for users with uid < 1000 and users 
with uid >= 1000.  For uids < 1000, it is pam_succeed_if which stops the 
processing of PAM and causes the authentication to fail.  Again, that 
only applies when authentication to pam_unix has already failed.

For users with uid >= 1000, pam_unix can fail, and processing will 
continue.  If sss is configured for LDAP or KRB5 authentication, for 
instance, pam_unix can fail because passwords aren't in the unix 
password files.  Processing continues past pam_unix, past 
pam_succeed_if, and on to pam_sss.  If authentication to pam_sss 
succeeds, then processing stops.  If pam_sss also fails, then pam_deny 
is used to stop processing and indicate an authentication failure.

> , but it works on my system, yet still gives
> that error (sometimes). Can I ask you to clarify how it relates to
> remote root access?

If you see a message from pam_succeed_if in your logs, you'll find that 
it directly follows an error indicating that pam_unix authentication 
failed.  That message appears as one of several messages that are logged 
when "root" fails password authentication.

> Somehow remote ssh root access works on my system, so I don't
> understand which pam module would be denying access?

pam_succeeed_if denies access IF password authentication failed.

> Also, why are the UIDs hardcoded in pam.d files when there is
> /etc/login.defs? How does that file apply to this?

Also complex:
https://fedoraproject.org/wiki/Features/1000SystemAccounts