From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 04:01:23 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE10516A419 for ; Sat, 24 Nov 2007 04:01:23 +0000 (UTC) (envelope-from kamil.kisiel@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.188]) by mx1.freebsd.org (Postfix) with ESMTP id C135A13C467 for ; Sat, 24 Nov 2007 04:01:23 +0000 (UTC) (envelope-from kamil.kisiel@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so15115rvb for ; Fri, 23 Nov 2007 20:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=nN6uE7S7zJdh90gP/ejGSLVREZndBU+saGkt/KzGY4I=; b=Jj8N7IUBstTsz5KiPx0LXSOVJEo/jws9cfiGqKnzAyD/+AI+q8e96R2y9yP5D8Qwza78zV0rFS1UPElbCfO8A8ExcDNjBT1uQ0Ek7p64+HPTOYydcqOTAVpCxjIXCuFQl68rXTyLA5iHa8RvkKgnDzVfXi9cEi5TvHB+FqMOQIQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=x7ROfwRDXEeXjXuj41/y41GY+V5ILS9DfQloIvcJjQXK3VILJwoAbk5UQurtQXuQYvlFhpw4tEDJHIiix43uFCjljn1U2gfaGBse8se4rawfHUMKT7iO6I37K0RIvoZbdwhRkYAmEMaJCqUUnliJnuMv1La6er1Hsc7PLWAjfrU= Received: by 10.115.54.1 with SMTP id g1mr42405wak.1195876883208; Fri, 23 Nov 2007 20:01:23 -0800 (PST) Received: by 10.115.94.2 with HTTP; Fri, 23 Nov 2007 20:01:23 -0800 (PST) Message-ID: <66d392400711232001g53121aaeu6287612e8910be7f@mail.gmail.com> Date: Fri, 23 Nov 2007 20:01:23 -0800 From: "Kamil Kisiel" Sender: kamil.kisiel@gmail.com To: "Christopher Cowart" , freebsd-questions@freebsd.org In-Reply-To: <66d392400711231931o498343cah71b61717546dc39c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <66d392400711231543x42aea684l3752bbbdcb65d2c5@mail.gmail.com> <20071124030410.GH43532@hal.rescomp.berkeley.edu> <66d392400711231909h42ca826la5d8818864a78a4e@mail.gmail.com> <20071124031628.GI43532@hal.rescomp.berkeley.edu> <66d392400711231931o498343cah71b61717546dc39c@mail.gmail.com> X-Google-Sender-Auth: 3875f6b10dd6fb30 Cc: Subject: Re: sudo never asks me for a password X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 04:01:23 -0000 On Nov 23, 2007 7:31 PM, Kamil Kisiel wrote: > On Nov 23, 2007 7:16 PM, Christopher Cowart > > wrote: > > On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: > > > On 11/23/07, Christopher Cowart wrote: > > > > On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: > > > > > For some reason, on this particular FreeBSD machine, sudo never asks > > > > > me for a password, even if I haven't logged in for days. > > > > > > > > > > I've been struggling with this problem for some time but still haven't > > > > > been able to find a solution. Any ideas? > > > > > > > > Maybe something is misconfigured in your pam stack? Check > > > > /etc/pam.d/sudo. > > > > > > /etc/pam.d/sudo looks like this: > > > > > > # > > > # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ > > > # > > > # PAM configuration for the "su" service > > > # > > > > > > # auth > > > auth sufficient pam_rootok.so no_warn > > > auth sufficient pam_self.so no_warn > > > auth requisite pam_group.so no_warn > > > group=wheel root_only fail_safe > > > auth include system > > > > > > # account > > > account include system > > > > > > # session > > > session required pam_permit.so > > > > This looks like it was copied verbatim from su. > > > > I suspect the pam_self.so is causing problems. Sudo authenticates the > > user for their current account, not the target account. That line will > > cause authentication to short-circuit on a UID match w/o any need to > > provide a password. Try commenting it out. > > > > -- > > > > Chris Cowart > > Lead Systems Administrator > > Network & Infrastructure Services, RSSP-IT > > UC Berkeley > > > > Thanks Christopher, > > That's exactly the problem. Seems the previous administrator of this > machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it > configured as is. Somehow I never caught on to that. > > -- > Kamil > Alright, maybe my impression of success was slightly premature. It seems that the problem now is that sudo doesn't like the pam_unix.so module for whatever reason. If I use the default sudo pam file, which simply includes all settings from /etc/pam.d/system it gives me an error like the following: sudo: pam_authenticate: conversation failure -- Kamil