pam_rootok(8) + pam.d/sudo symlink to pam.d/su
Brian A. Seklecki
lavalamp at spiritual-machines.org
Fri Oct 7 11:05:56 PDT 2005
On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote:
> No, unless sudo is broken. What sudo implementation are you using?
PAM doesn't cache authentication information does it? This
"use_first_pass" argument to modulesn't couldn't be getting in the way?
You know, this would be solved by including pam.d/* templates in the
pam_ldap/nss_ldap package or maintaining a web repository.
Anyway, aside from ranting, Here's the deal:
root at server:/root# rm -rf /var/run/sudo/*
...then:
client$ ssh seklecki at server
Password:
Welcome to FreeBSD!
seklecki at client:~$
seklecki at client:~$ su -
Password:
root at client:~# ^D
seklecki at client:~$ sudo bash
root at client:~# ^D
...not good.
Now, /usr/local/etc/pam.d/sudo is a symlink to /etc/pam.d/su
/etc/pam.d/su is stock, which "includes" /etc/pam.d/system, which
basically mirrors /etc/pam.d/sshd (which is ideal, because SUDO isn't
going to check the root password, it's going to check the user's
password):
# auth
#auth sufficient pam_opie.so no_warn
no_fake_prompts
#auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_unix.so no_warn
try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient pam_ldap.so ignore_authinfo_unavail
ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
session sufficient pam_ldap.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
~BAS
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>
>
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
More information about the freebsd-questions
mailing list