From owner-freebsd-questions@FreeBSD.ORG Fri Oct 7 18:05:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E40516A41F for ; Fri, 7 Oct 2005 18:05:56 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EA3143D55 for ; Fri, 7 Oct 2005 18:05:55 +0000 (GMT) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id AAD551141C; Fri, 7 Oct 2005 14:05:54 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id A92C81141B; Fri, 7 Oct 2005 14:05:54 -0400 (EDT) Date: Fri, 7 Oct 2005 14:05:54 -0400 (EDT) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: =?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?= In-Reply-To: <86k6gp8fsf.fsf@xps.des.no> Message-ID: <20051007134804.F95280@arbitor.digitalfreaks.org> References: <20051007114027.Y95280@arbitor.digitalfreaks.org> <86k6gp8fsf.fsf@xps.des.no> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-831172463-1128708354=:95280" Cc: freebsd-questions@freebsd.org Subject: Re: pam_rootok(8) + pam.d/sudo symlink to pam.d/su X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 18:05:56 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-831172463-1128708354=:95280 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote: > No, unless sudo is broken. What sudo implementation are you using? PAM doesn't cache authentication information does it? This "use_first_pass" argument to modulesn't couldn't be getting in the way? You know, this would be solved by including pam.d/* templates in the pam_ldap/nss_ldap package or maintaining a web repository. Anyway, aside from ranting, Here's the deal: root@server:/root# rm -rf /var/run/sudo/* ...then: client$ ssh seklecki@server Password: Welcome to FreeBSD! seklecki@client:~$ seklecki@client:~$ su - Password: root@client:~# ^D seklecki@client:~$ sudo bash root@client:~# ^D ...not good. Now, /usr/local/etc/pam.d/sudo is a symlink to /etc/pam.d/su /etc/pam.d/su is stock, which "includes" /etc/pam.d/system, which basically mirrors /etc/pam.d/sshd (which is ideal, because SUDO isn't going to check the root password, it's going to check the user's password): # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account sufficient pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail session sufficient pam_ldap.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ~BAS > > DES > -- > Dag-Erling Smørgrav - des@des.no > > l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 --0-831172463-1128708354=:95280--