Problemas do usuário do Linux com o PAM?

2

Tinha configurado um usuário para usar em vez de root. Estava funcionando bem e dandy até que comecei a brincar com as configurações do usuário. Agora todos os usuários (além do root) trabalharam. Não é possível fazer o login (ssh) com outros usuários, mesmo depois de adicioná-los ao grupo admin / root. Não é possível fazer o ftp com esses usuários (usando vsftpd).

Eu removi o usuário e limpei a entrada no arquivo / etc / shadow que estava me impedindo de alterar a senha do usuário. Eu adicionei o usuário novamente usando o seguinte comando:

useradd -d /path/to/home -s /path/to/shell -g admin username

Alterei a senha, que funcionou. Desde então, tentei trocar de usuário (su - username) e encontrei a seguinte entrada no /var/log/auth.log

Feb 15 09:37:55 myserve su[26682]: Successful su for username by root
Feb 15 09:37:55 myserve su[26682]: + /dev/pts/0 root:username
Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session opened for user username by root(uid=0)
Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session closed for user username

Posso ver que o problema parece ser um problema do PAM, mas não sei como administrar o PAM. Acho que pode ter bloqueado esse nome de usuário. Eu realmente quero usar esse nome de usuário (não tenho que criar um novo nome), mas, se é isso que acontece, eu farei isso.

Eu tenho outro nome de usuário que eu também não posso su. O mesmo erro aparece no auth.log

Na verdade, na revisão, estou descobrindo que nenhum dos meus usuários, além do root, pode fazer login no sistema.

UPDATE: incluir detalhes do PAM

ls -l de /etc/pam.d

-rw-r--r-- 1 root root  197 2009-11-23 15:11 atd
-rw-r--r-- 1 root root  384 2011-02-21 00:10 chfn
-rw-r--r-- 1 root root   92 2011-02-21 00:10 chpasswd
-rw-r--r-- 1 root root  581 2011-02-21 00:10 chsh
-rw-r--r-- 1 root root 1208 2011-05-10 07:17 common-account
-rw-r--r-- 1 root root 1221 2011-05-10 07:17 common-auth
-rw-r--r-- 1 root root 1440 2011-05-10 07:17 common-password
-rw-r--r-- 1 root root 1156 2011-05-10 07:17 common-session
-rw-r--r-- 1 root root 1154 2011-05-10 07:17 common-session-noninteractive
-rw-r--r-- 1 root root  531 2011-01-05 10:23 cron
-rw-r--r-- 1 root root   81 2010-11-17 17:58 dovecot
-rw-r--r-- 1 root root 4585 2011-02-21 00:10 login
-rw-r--r-- 1 root root   92 2011-02-21 00:10 newusers
-rw-r--r-- 1 root root  520 2011-04-14 16:40 other
-rw-r--r-- 1 root root   92 2011-02-21 00:10 passwd
-rw-r--r-- 1 root root  145 2010-12-14 17:08 pop3
-rw-r--r-- 1 root root  168 2011-02-04 08:41 ppp
-rw-r--r-- 1 root root 1272 2010-04-07 02:50 sshd
-rw-r--r-- 1 root root 2305 2011-02-21 00:10 su
-rw-r--r-- 1 root root  119 2011-04-15 16:02 sudo
-rw-r--r-- 1 root root   92 2013-01-19 22:51 vsftpd
-rw-r--r-- 1 root root  139 2013-01-19 22:33 vsftpd.bak

Também adicionei o usuário ao grupo sshd e root, mas ainda não consigo fazer login como esse usuário. O erro foi alterado:

Feb 15 14:11:51 myserve sshd[5433]: Accepted password for username from 81.56.236.66 port 56851 ssh2
Feb 15 14:11:51 myserve sshd[5433]: pam_unix(sshd:session): session opened for user username by (uid=0)
Feb 15 14:11:52 myserve sshd[5447]: Received disconnect from 81.56.236.66: 11: disconnected by user
Feb 15 14:11:52 myserve sshd[5433]: pam_unix(sshd:session): session closed for user username

Conteúdo completo de todos os arquivos em pam.d

File: /etc/pam.d/atd
#
# The PAM configuration file for the at daemon
#

auth    required    pam_env.so
@include common-auth
@include common-account
@include common-session-noninteractive
session    required   pam_limits.so
File: /etc/pam.d/chfn
#
# The PAM configuration file for the Shadow 'chfn' service
#

# This allows root to change user infomation without being
# prompted for a password
auth        sufficient  pam_rootok.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session


File: /etc/pam.d/chpasswd
# The PAM configuration file for the Shadow 'chpasswd' service
#

@include common-password

File: /etc/pam.d/chsh
#
# The PAM configuration file for the Shadow 'chsh' service
#

# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth       required   pam_shells.so

# This allows root to change user shell without being
# prompted for a password
auth        sufficient  pam_rootok.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

File: /etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so 
# here's the fallback if no module succeeds
account requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]  pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old 'OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password    [success=1 default=ignore]  pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
File: /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
# end of pam-auth-update config
File: /etc/pam.d/common-session-noninteractive
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
# end of pam-auth-update config
File: /etc/pam.d/cron
#
# The PAM configuration file for the cron daemon
#

@include common-auth

# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session       required   pam_env.so

# In addition, read system locale information
session       required   pam_env.so envfile=/etc/default/locale

@include common-account
@include common-session-noninteractive 
# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so


File: /etc/pam.d/dovecot
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

File: /etc/pam.d/login
#
# The PAM configuration file for the Shadow 'login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the 'FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the 'CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a password on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the 'NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the 'CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the 'PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the 'LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the 'MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the 'MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
File: /etc/pam.d/newusers
# The PAM configuration file for the Shadow 'newusers' service
#

@include common-password

File: /etc/pam.d/other
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron  specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used.  If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
# 

@include common-auth
@include common-account
@include common-password
@include common-session
File: /etc/pam.d/passwd
#
# The PAM configuration file for the Shadow 'passwd' service
#

@include common-password

File: /etc/pam.d/pop3
# PAM configuration file for Courier POP3 daemon

@include common-auth
@include common-account
@include common-password
@include common-session

File: /etc/pam.d/ppp
#%PAM-1.0
# Information for the PPPD process with the 'login' option.
auth    required    pam_nologin.so
@include common-auth
@include common-account
@include common-session
File: /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
File: /etc/pam.d/su
#
# The PAM configuration file for the Shadow 'su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group root
# before they can use 'su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the 'SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the 'PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session


File: /etc/pam.d/sudo
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so
File: /etc/pam.d/vsftpd
auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so
File: /etc/pam.d/vsftpd.bak
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash 
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash 
    
por tadywankenobi 15.02.2013 / 13:42

1 resposta

2

Resposta curta:

Seu comando estava incorreto:

useradd -d /path/to/home -s /path/to/shell -g admin username

Use

useradd -d /home/username -s /bin/sh -g admin username

para criar um usuário normal.

Tady postou algumas informações no chat:

tady:$:15750:0:99999:7:::

squarepeg:$:15751:0:99999:7::: that's the /etc/shadow

and the /etc/passwd

tady:x:5001:5001::/var/www:/bin/false

squarepeg:x:5003:109:square peg design:/var/www:/bin/false

The /bin/false home directory exists, I created it so users had somewhere to go even though they never use it (though looking at it, it's owner and group are root:root. would this matter?) The /var/www shell is where I want them to go when they login

"O formato do arquivo passwd é bastante normal."

Sim, é verdade. E o formato é informalmente descrito aqui: Wikipedia: Passwd (file) ; ou, mais normativo, man 5 passwd (do Ubuntu)

Veja um exemplo:

 jsmith:.......:/home/jsmith:/bin/sh

Wiki decodifica como:

The sixth field is the path to the user's home directory. The seventh field is the program that is started every time the user logs into the system. ... this is usually one of the system's command line interpreters (shells).

Portanto, o jmsith tem o diretório home /home/jsmith e o programa shell /bin/sh , que é o shell legal (todos os shells legais estão listados no arquivo /etc/shells ). Verifique man shells , diz:

/etc/shells is a text file which contains the full pathnames of valid login shells...

Be aware that there are programs which consult this file to find out if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file.

No meu Linux /bin/false não está listado aqui como shell válido.

De acordo com a citação do seu passwd, tady e squarepeg tem o diretório home /var/www e /bin/false é seu programa shell. Quando eles fazem login, o shell é iniciado; após o término do shell, a sessão é fechada. /bin/false é um programa unix simples que ... sai em pouco tempo (veja Wikipedia: False (Unix) ou apenas pense nisso como main(){return 1;} ).

Normal shell é o programa interativo que lê a entrada do usuário e a executa em loop infinito. O shell é iniciado quando você faz ssh no computador. E você não pode usar ftp para usuários que possuem /bin/false shell.

PS: Se você quer proibir alguém de usar o ssh, mas permitir que ele use o vsftpd, existem hacks

  • hack de /etc/pam.d/vsftpd file: link
  • hask adicionando /bin/false à lista de shells válidos: link
  • ou pergunte aqui.
por 16.02.2013 / 03:59