pam_rootok(8) + pam.d/sudo symlink to pam.d/su

Brian A. Seklecki lavalamp at spiritual-machines.org
Fri Oct 7 11:05:56 PDT 2005


On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote:

> No, unless sudo is broken.  What sudo implementation are you using?

PAM doesn't cache authentication information does it?  This 
"use_first_pass" argument to modulesn't couldn't be getting in the way?

You know, this would be solved by including pam.d/* templates in the 
pam_ldap/nss_ldap package or maintaining a web repository.

Anyway, aside from ranting, Here's the deal:

root at server:/root# rm -rf /var/run/sudo/*

...then:

client$ ssh seklecki at server
Password:
Welcome to FreeBSD!
seklecki at client:~$
seklecki at client:~$ su -
Password:
root at client:~# ^D
seklecki at client:~$ sudo bash
root at client:~# ^D

...not good.

Now, /usr/local/etc/pam.d/sudo is a symlink to /etc/pam.d/su

/etc/pam.d/su is stock, which "includes" /etc/pam.d/system, which 
basically mirrors /etc/pam.d/sshd (which is ideal, because SUDO isn't 
going to check the root password, it's going to check the user's 
password):

# auth
#auth           sufficient      pam_opie.so             no_warn 
no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn 
allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            sufficient      pam_ldap.so             try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      pam_ldap.so  ignore_authinfo_unavail 
ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail
session         sufficient      pam_ldap.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass


~BAS

>
> DES
> -- 
> Dag-Erling Smørgrav - des at des.no
>
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8


More information about the freebsd-questions mailing list