Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16727

PAM can't identify the user when running from external host

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.3.0.z
    • pam
    • pam-1.5.1-18.el9
    • None
    • Impediment
    • None
    • sst_idm_sssd
    • ssg_idm
    • 23
    • 24
    • 0
    • True
    • Hide

      Moving this Jira to Planning state since the discussion was moved to upstream and discussions will happen there. This ticket is blocked until further notice (waiting for a resolution).

      Show
      Moving this Jira to  Planning  state since the discussion was moved to upstream and discussions will happen there. This ticket is blocked until further notice (waiting for a resolution).
    • No
    • Red Hat Enterprise Linux
    • None
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      Bug related to the issue. Errata came on RHEL 8.4
       - [1866866 - PAM can't identify the user when running via gnome-terminal in an X session](https://bugzilla.redhat.com/show_bug.cgi?id=1866866)

      However, something changed and the behavior are still present.

      Please provide the package NVR for which bug is seen:
      RHEL8.5: pam 1.3.1-15.el8 - correct behaviour
      RHEL9.1: 1.5.1-12.el9 and 1.5.1-15.el9 (9.3) exhibit the same problem

      Steps to Reproduce:
      1. Create "testuser" user and set password
      2. Configure "testuser" user in sudoers to be able to sudo without password: 
      ---
      testuser        ALL=(ALL)    NOPASSWD: ALL
      ---

      3. Congiure pam.d/sudo to verify the account based on group membership, for example
         Comment out : "#account    include      system-auth" and replace with:
      ---
      account    sufficient   pam_wheel.so trust group=users debug
      ---

      4. Added the below line on /etc/pam.d/su
      ---
      account    sufficient   pam_wheel.so trust group=users debug
      ---

      4. Add user to users group: usermod -G users testuser

      5. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully

      Evidences:

      RHEL 8.8
      ~~~
      PAM Config

      [testuser@winbind ~]$ cat /etc/pam.d/sudo
      #%PAM-1.0
      #auth       include      system-auth
      account    sufficient   pam_wheel.so trust group=users debug
      account    include      system-auth
      password   include      system-auth
      session    include      system-auth

      [testuser@winbind ~]$ cat /etc/pam.d/su
      #%PAM-1.0
      auth        required    pam_env.so
      auth        sufficient    pam_rootok.so
      account    sufficient   pam_wheel.so trust group=users debug

      1. Uncomment the following line to implicitly trust users in the "wheel" group.
        #auth        sufficient    pam_wheel.so trust use_uid
      2. Uncomment the following line to require a user to be in the "wheel" group.
        #auth        required    pam_wheel.so use_uid
        auth        substack    system-auth
        auth        include        postlogin
        account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
        account        include        system-auth
        password    include        system-auth
        session        include        system-auth
        session        include        postlogin
        session        optional    pam_xauth.so

      Secure logs

      Nov 14 13:37:44 winbind sshd[12902]: Accepted password for testuser from 192.168.122.1 port 37124 ssh2
      Nov 14 13:37:44 winbind sshd[12902]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
      Nov 14 13:38:01 winbind sudo[12957]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:38:01 winbind sudo[12957]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:38:01 winbind sudo[12957]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
      Nov 14 13:38:01 winbind su[12958]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:38:01 winbind su[12958]: pam_unix(su:session): session opened for user root by testuser(uid=0)

      ssh from an external terminal

      Nov 14 13:42:46 winbind sshd[13443]: Accepted password for testuser from 192.168.122.1 port 52170 ssh2
      Nov 14 13:42:46 winbind systemd[13449]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
      Nov 14 13:42:46 winbind sshd[13443]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
      Nov 14 13:42:46 winbind sudo[13482]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:42:46 winbind sudo[13482]: testuser : TTY=unknown ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:42:46 winbind sudo[13482]: pam_unix(sudo:session): session opened for user root by (uid=0)
      Nov 14 13:42:46 winbind su[13513]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:42:46 winbind su[13513]: pam_unix(su:session): session opened for user root by (uid=0)
      ~~~

      RHEL 9.3
      ~~~
      PAM Config

      [testuser@rhel91 ~]$ cat /etc/pam.d/sudo
      #%PAM-1.0
      #auth       include      system-auth
      account    sufficient   pam_wheel.so trust group=users debug
      account    include      system-auth
      password   include      system-auth
      session    include      system-auth
      [testuser@rhel91 ~]$ cat /etc/pam.d/su
      #%PAM-1.0
      auth        required    pam_env.so
      auth        sufficient    pam_rootok.so
      account    sufficient   pam_wheel.so trust group=users debug

      1. Uncomment the following line to implicitly trust users in the "wheel" group.
        #auth        sufficient    pam_wheel.so trust use_uid
      2. Uncomment the following line to require a user to be in the "wheel" group.
        #auth        required    pam_wheel.so use_uid
        auth        substack    system-auth
        auth        include        postlogin
        account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
        account        include        system-auth
        password    include        system-auth
        session        include        system-auth
        session        include        postlogin
        session        optional    pam_xauth.so

      Secure logs

      Nov 14 13:37:44 rhel91 sshd[9950]: Accepted password for testuser from 192.168.122.1 port 48546 ssh2
      Nov 14 13:37:44 rhel91 sshd[9950]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:38:01 rhel91 sudo[9998]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:38:01 rhel91 sudo[9998]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:38:01 rhel91 sudo[9998]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1001)
      Nov 14 13:38:01 rhel91 su[9999]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:38:01 rhel91 su[9999]: pam_unix(su:session): session opened for user root(uid=0) by testuser(uid=0)

      ssh from an external terminal

      Nov 14 13:42:46 rhel91 sshd[10340]: Accepted password for testuser from 192.168.122.1 port 53194 ssh2
      Nov 14 13:42:46 rhel91 systemd[10346]: pam_unix(systemd-user:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:42:46 rhel91 sshd[10340]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:42:46 rhel91 sudo[10381]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:42:46 rhel91 sudo[10381]: testuser : PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:42:46 rhel91 sudo[10381]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
      Nov 14 13:42:46 rhel91 su[10406]: pam_wheel(su:account): Access denied to 'root' for 'root' ----> pam_wheel is not picking up the original UID like in RHEL8.8 and it's recognising the user as root, it is then denying access.
      Nov 14 13:42:46 rhel91 su[10406]: pam_unix(su:session): session opened for user root(uid=0) by (uid=0)
      ~~~

        • The issue is reproduced only when we ssh from an external machine, even when the message said it is denied, the sudo su worked.

      i.e: external host: ssh testuser@machine "sudo su"

      Customer words:

      Ultimately, the situation is that rules that use pam_wheel and are supposed to authorise and deny the user based on the original UID are not working. This is arguably worse than what was happening before 1.3.1-14.el8 where at least it was failing and denying access while now it's wrongly assigning root identity as the original UID, granting access to users who should be denied.

            ipedrosa@redhat.com Iker Pedrosa
            rhn-support-dcamilof Daniel Camilo Filho
            RHEL Jira bot, Watson Automation
            Iker Pedrosa Iker Pedrosa
            SSSD QE SSSD QE
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: