Date: Mon, 03 Dec 2007 20:04:23 -0500 From: Tom McLaughlin <tmclaugh@sdf.lonestar.org> To: Kamil Kisiel <kamil@kamilkisiel.net> Cc: freebsd-questions@freebsd.org, Christopher Cowart <ccowart@rescomp.berkeley.edu> Subject: Re: sudo never asks me for a password Message-ID: <1196730263.3332.33.camel@tomcat.straycat.dhs.org> In-Reply-To: <66d392400711232001g53121aaeu6287612e8910be7f@mail.gmail.com> References: <66d392400711231543x42aea684l3752bbbdcb65d2c5@mail.gmail.com> <20071124030410.GH43532@hal.rescomp.berkeley.edu> <66d392400711231909h42ca826la5d8818864a78a4e@mail.gmail.com> <20071124031628.GI43532@hal.rescomp.berkeley.edu> <66d392400711231931o498343cah71b61717546dc39c@mail.gmail.com> <66d392400711232001g53121aaeu6287612e8910be7f@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2007-11-23 at 20:01 -0800, Kamil Kisiel wrote: > On Nov 23, 2007 7:31 PM, Kamil Kisiel <kamil@kamilkisiel.net> wrote: > > On Nov 23, 2007 7:16 PM, Christopher Cowart > > > > <ccowart@rescomp.berkeley.edu> wrote: > > > On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: > > > > On 11/23/07, Christopher Cowart <ccowart@rescomp.berkeley.edu> wrote: > > > > > On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: > > > > > > For some reason, on this particular FreeBSD machine, sudo never asks > > > > > > me for a password, even if I haven't logged in for days. > > > > > > > > > > > > I've been struggling with this problem for some time but still haven't > > > > > > been able to find a solution. Any ideas? > > > > > > > > > > Maybe something is misconfigured in your pam stack? Check > > > > > /etc/pam.d/sudo. > > > > > > > > /etc/pam.d/sudo looks like this: > > > > > > > > # > > > > # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ > > > > # > > > > # PAM configuration for the "su" service > > > > # > > > > > > > > # auth > > > > auth sufficient pam_rootok.so no_warn > > > > auth sufficient pam_self.so no_warn > > > > auth requisite pam_group.so no_warn > > > > group=wheel root_only fail_safe > > > > auth include system > > > > > > > > # account > > > > account include system > > > > > > > > # session > > > > session required pam_permit.so > > > > > > This looks like it was copied verbatim from su. > > > > > > I suspect the pam_self.so is causing problems. Sudo authenticates the > > > user for their current account, not the target account. That line will > > > cause authentication to short-circuit on a UID match w/o any need to > > > provide a password. Try commenting it out. > > > > > > -- > > > > > > Chris Cowart > > > Lead Systems Administrator > > > Network & Infrastructure Services, RSSP-IT > > > UC Berkeley > > > > > > > Thanks Christopher, > > > > That's exactly the problem. Seems the previous administrator of this > > machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it > > configured as is. Somehow I never caught on to that. > > > > -- > > Kamil > > > > Alright, maybe my impression of success was slightly premature. It > seems that the problem now is that sudo doesn't like the pam_unix.so > module for whatever reason. If I use the default sudo pam file, which > simply includes all settings from /etc/pam.d/system it gives me an > error like the following: > > sudo: pam_authenticate: conversation failure what version of sudo are you using? This is the pam file from the latest verison of the port: # # $Id$ # # PAM configuration for the "sudo" service # # auth auth include system # account account include system # session # XXX: pam_lastlog (used in system) causes users to appear as though # they are no longer logged in in system logs. session required pam_permit.so # password password include system > -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1196730263.3332.33.camel>