Re: [nottingham] Redhat PAM issue suggestion

From: Nathan (na7h@barrysworld.com)
Date: Fri 05 Apr 2002 - 18:35:46 BST

Previous message: Jon Masters: "[nottingham] Waterstones"
In reply to: Jon Masters: "[nottingham] Redhat PAM issue suggestion"
Next in thread: Lee: "Re: [nottingham] Redhat PAM issue suggestion"
Reply: Lee: "Re: [nottingham] Redhat PAM issue suggestion"
Reply: Matthew Sackman: "Re: [nottingham] Redhat PAM issue suggestion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jon Masters wrote:

>Hi,
>
>The problem is with the PAM authentication system but is likely to be with
>your configuration of shadow passwords - please send me the following:
>
>1). A full (ls -l) directory listing showing:
>
> * /etc/passwd
> * /etc/group
> * /etc/shadow
>
[root@celia etc]# ls -l|grep -e passwd -e shadow -e group
-rw-r--r-- 1 root root 532 Apr 4 23:42 group
-rw------- 1 root root 520 Apr 4 23:20 group-
-r-------- 1 root root 436 Apr 4 23:42 gshadow
-rw------- 1 root root 427 Apr 4 23:20 gshadow-
-rw-r--r-- 1 root root 1323 Apr 4 23:43 passwd
-rw------- 1 root root 1286 Jan 10 14:52 passwd-
-r-------- 1 root root 944 Apr 4 23:43 shadow
-rw------- 1 root root 885 Jan 10 14:52 shadow-

>2). A full listing of the above files using "lsattr" (this is likely to
> be completely useless - I just want to make sure I have every
> conceivable thing which could affect things).
>
lsattr is to do with ext2 isn't it? I'm using ext3, so i think this
might be even more useless than you thought :)
[root@celia etc]# lsattr -v|grep -e passwd -e shadow -e group
    4 ------------- ./group
    9 ------------- ./passwd
63303 ------------- ./group-
141946 ------------- ./passwd-
611543 ------------- ./shadow-
611664 ------------- ./gshadow-
    3 ------------- ./shadow
    5 ------------- ./gshadow

>
>3). A perhaps snipped copy of /etc/passwd (contains "no" private data).
>
This doesn't look paticurly useful... Okus there's loads of default
accounts there.
[root@celia etc]# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
rpm:x:37:37::/var/lib/rpm:/bin/bash
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
nathan:x:500:500:Nathan:/home/nathan:/bin/bash
tmp:x:501:501::/home/tmp:/bin/bash

>
>4). A doctored copy of /etc/shadow (though it would help to leave some
> silly user account in there like "foo" with password "bar" added
> using adduser and checked that it has the same problems).
>
[root@celia etc]# cat shadow
root:$1$MñÃÊ6PàA$UtZNn3L3LNKPfBp4HI5SY1:11697:0:99999:7:::
bin:*:11697:0:99999:7:::
daemon:*:11697:0:99999:7:::
adm:*:11697:0:99999:7:::
lp:*:11697:0:99999:7:::
sync:*:11697:0:99999:7:::
shutdown:*:11697:0:99999:7:::
halt:*:11697:0:99999:7:::
mail:*:11697:0:99999:7:::
news:*:11697:0:99999:7:::
uucp:*:11697:0:99999:7:::
operator:*:11697:0:99999:7:::
games:*:11697:0:99999:7:::
gopher:*:11697:0:99999:7:::
ftp:*:11697:0:99999:7:::
nobody:*:11697:0:99999:7:::
mailnull:!!:11697:0:99999:7:::
rpm:!!:11697:0:99999:7:::
xfs:!!:11697:0:99999:7:::
ntp:!!:11697:0:99999:7:::
rpc:!!:11697:0:99999:7:::
rpcuser:!!:11697:0:99999:7:::
nfsnobody:!!:11697:0:99999:7:::
nscd:!!:11697:0:99999:7:::
ident:!!:11697:0:99999:7:::
radvd:!!:11697:0:99999:7:::
apache:!!:11697:0:99999:7:::
squid:!!:11697:0:99999:7:::
mysql:!!:11697:0:99999:7:::
nathan:$1$öJÿãQ3pë$J.23PAVC0W7Dkq84Bwdgo0:11697:0:99999:7:::
tmp:$1$pl0TosCG$CDTvWf5SShG8aiNGoCmn6.:11782:0:99999:7:::

I've not edited it, as it's my desktop machine, with no services
running(no sshd).

>
>5). "tar cvfz jcm-pamd /etc/pam.d" - and I will then duplicate your
> environment if I cannot spot an obvious problem, in which case I
> can't do that until the weekend but will try to get around to it!
>
I've attached it.

>
>
>HTH,
>
>Jon.
>

>
>That does look a bit like pam problems. Do you not have any logs? Try
>/var/log/auth.log or /var/log/secure or something similar.
>Failing that, fail to login then run ls -ltr to show the last updated
>log file (it'll be the one at the bottom) and read it, see if it says
>anything related.
>
All i get in /var/log/secure is:
Apr 5 18:25:43 celia login: Authentication service cannot retrieve
authentication info.

>
>Does your login have the correct parameters? On my Debian system, login
>is SUID root.
>
[root@celia bin]# stat login
File: "login"
Size: 17740 Blocks: 40 IO Block: 4096 Regular File
Device: 302h/770d Inode: 635552 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: Fri Apr 5 18:25:42 2002
Modify: Sun Aug 26 23:51:37 2001
Change: Thu Jan 10 14:39:31 200

>
>
>Do you have a /etc/pam.d/login? What's in it (minus the comments)?
>Does it look sane?
>
[root@celia pam.d]# cat login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

That's what was there when i started having the problem - I undid any
changes i made after they made no differance.

>What else did you change recently?
>
I've been up just under 3days - I had a logged in terminal when i
noticed this(i exited, then tried to login), so something's happened
during this time. I haven't installed or removed anything during this
time, besides a few WM applets.

application/x-gzip attachment: jcm-pamd.tar.gz

--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------

Previous message: Jon Masters: "[nottingham] Waterstones"
In reply to: Jon Masters: "[nottingham] Redhat PAM issue suggestion"
Next in thread: Lee: "Re: [nottingham] Redhat PAM issue suggestion"
Reply: Lee: "Re: [nottingham] Redhat PAM issue suggestion"
Reply: Matthew Sackman: "Re: [nottingham] Redhat PAM issue suggestion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri 05 Apr 2002 - 18:37:17 BST