Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16727

PAM can't identify the user when running from external host

Details

    • Bug
    • Resolution: Unresolved
    • Normal
    • rhel-9.4.0
    • rhel-9.3.0.z
    • pam
    • pam-1.5.1-18.el9
    • Impediment
    • sst_idm_sssd
    • ssg_idm
    • 23
    • 24
    • True
    • Hide

      Moving this Jira to Planning state since the discussion was moved to upstream and discussions will happen there. This ticket is blocked until further notice (waiting for a resolution).

      Show
      Moving this Jira to  Planning  state since the discussion was moved to upstream and discussions will happen there. This ticket is blocked until further notice (waiting for a resolution).
    • No
    • Red Hat Enterprise Linux
    • x86_64

    Description

      What were you trying to do that didn't work?

      Bug related to the issue. Errata came on RHEL 8.4
       - [1866866 - PAM can't identify the user when running via gnome-terminal in an X session](https://bugzilla.redhat.com/show_bug.cgi?id=1866866)

      However, something changed and the behavior are still present.

      Please provide the package NVR for which bug is seen:
      RHEL8.5: pam 1.3.1-15.el8 - correct behaviour
      RHEL9.1: 1.5.1-12.el9 and 1.5.1-15.el9 (9.3) exhibit the same problem

      Steps to Reproduce:
      1. Create "testuser" user and set password
      2. Configure "testuser" user in sudoers to be able to sudo without password: 
      ---
      testuser        ALL=(ALL)    NOPASSWD: ALL
      ---

      3. Congiure pam.d/sudo to verify the account based on group membership, for example
         Comment out : "#account    include      system-auth" and replace with:
      ---
      account    sufficient   pam_wheel.so trust group=users debug
      ---

      4. Added the below line on /etc/pam.d/su
      ---
      account    sufficient   pam_wheel.so trust group=users debug
      ---

      4. Add user to users group: usermod -G users testuser

      5. Ssh into the machine as "testuser" and issue "sudo su" or any "sudo <command>" and verify you can elevate successfully

      Evidences:

      RHEL 8.8
      ~~~
      PAM Config

      [testuser@winbind ~]$ cat /etc/pam.d/sudo
      #%PAM-1.0
      #auth       include      system-auth
      account    sufficient   pam_wheel.so trust group=users debug
      account    include      system-auth
      password   include      system-auth
      session    include      system-auth

      [testuser@winbind ~]$ cat /etc/pam.d/su
      #%PAM-1.0
      auth        required    pam_env.so
      auth        sufficient    pam_rootok.so
      account    sufficient   pam_wheel.so trust group=users debug

      1. Uncomment the following line to implicitly trust users in the "wheel" group.
        #auth        sufficient    pam_wheel.so trust use_uid
      2. Uncomment the following line to require a user to be in the "wheel" group.
        #auth        required    pam_wheel.so use_uid
        auth        substack    system-auth
        auth        include        postlogin
        account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
        account        include        system-auth
        password    include        system-auth
        session        include        system-auth
        session        include        postlogin
        session        optional    pam_xauth.so

      Secure logs

      Nov 14 13:37:44 winbind sshd[12902]: Accepted password for testuser from 192.168.122.1 port 37124 ssh2
      Nov 14 13:37:44 winbind sshd[12902]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
      Nov 14 13:38:01 winbind sudo[12957]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:38:01 winbind sudo[12957]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:38:01 winbind sudo[12957]: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
      Nov 14 13:38:01 winbind su[12958]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:38:01 winbind su[12958]: pam_unix(su:session): session opened for user root by testuser(uid=0)

      ssh from an external terminal

      Nov 14 13:42:46 winbind sshd[13443]: Accepted password for testuser from 192.168.122.1 port 52170 ssh2
      Nov 14 13:42:46 winbind systemd[13449]: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
      Nov 14 13:42:46 winbind sshd[13443]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
      Nov 14 13:42:46 winbind sudo[13482]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:42:46 winbind sudo[13482]: testuser : TTY=unknown ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:42:46 winbind sudo[13482]: pam_unix(sudo:session): session opened for user root by (uid=0)
      Nov 14 13:42:46 winbind su[13513]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:42:46 winbind su[13513]: pam_unix(su:session): session opened for user root by (uid=0)
      ~~~

      RHEL 9.3
      ~~~
      PAM Config

      [testuser@rhel91 ~]$ cat /etc/pam.d/sudo
      #%PAM-1.0
      #auth       include      system-auth
      account    sufficient   pam_wheel.so trust group=users debug
      account    include      system-auth
      password   include      system-auth
      session    include      system-auth
      [testuser@rhel91 ~]$ cat /etc/pam.d/su
      #%PAM-1.0
      auth        required    pam_env.so
      auth        sufficient    pam_rootok.so
      account    sufficient   pam_wheel.so trust group=users debug

      1. Uncomment the following line to implicitly trust users in the "wheel" group.
        #auth        sufficient    pam_wheel.so trust use_uid
      2. Uncomment the following line to require a user to be in the "wheel" group.
        #auth        required    pam_wheel.so use_uid
        auth        substack    system-auth
        auth        include        postlogin
        account        sufficient    pam_succeed_if.so uid = 0 use_uid quiet
        account        include        system-auth
        password    include        system-auth
        session        include        system-auth
        session        include        postlogin
        session        optional    pam_xauth.so

      Secure logs

      Nov 14 13:37:44 rhel91 sshd[9950]: Accepted password for testuser from 192.168.122.1 port 48546 ssh2
      Nov 14 13:37:44 rhel91 sshd[9950]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:38:01 rhel91 sudo[9998]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:38:01 rhel91 sudo[9998]: testuser : TTY=pts/1 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:38:01 rhel91 sudo[9998]: pam_unix(sudo:session): session opened for user root(uid=0) by testuser(uid=1001)
      Nov 14 13:38:01 rhel91 su[9999]: pam_wheel(su:account): Access granted to 'testuser' for 'root'
      Nov 14 13:38:01 rhel91 su[9999]: pam_unix(su:session): session opened for user root(uid=0) by testuser(uid=0)

      ssh from an external terminal

      Nov 14 13:42:46 rhel91 sshd[10340]: Accepted password for testuser from 192.168.122.1 port 53194 ssh2
      Nov 14 13:42:46 rhel91 systemd[10346]: pam_unix(systemd-user:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:42:46 rhel91 sshd[10340]: pam_unix(sshd:session): session opened for user testuser(uid=1001) by (uid=0)
      Nov 14 13:42:46 rhel91 sudo[10381]: pam_wheel(sudo:account): Access granted to 'testuser' for 'testuser'
      Nov 14 13:42:46 rhel91 sudo[10381]: testuser : PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
      Nov 14 13:42:46 rhel91 sudo[10381]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
      Nov 14 13:42:46 rhel91 su[10406]: pam_wheel(su:account): Access denied to 'root' for 'root' ----> pam_wheel is not picking up the original UID like in RHEL8.8 and it's recognising the user as root, it is then denying access.
      Nov 14 13:42:46 rhel91 su[10406]: pam_unix(su:session): session opened for user root(uid=0) by (uid=0)
      ~~~

        • The issue is reproduced only when we ssh from an external machine, even when the message said it is denied, the sudo su worked.

      i.e: external host: ssh testuser@machine "sudo su"

      Customer words:

      Ultimately, the situation is that rules that use pam_wheel and are supposed to authorise and deny the user based on the original UID are not working. This is arguably worse than what was happening before 1.3.1-14.el8 where at least it was failing and denying access while now it's wrongly assigning root identity as the original UID, granting access to users who should be denied.

      Attachments

        Issue Links

          Activity

            People

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-dcamilof Daniel Camilo Filho
              RHEL Jira bot, Watson Automation
              Iker Pedrosa Iker Pedrosa
              SSSD QE SSSD QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated: