Date: Fri, 7 Oct 2005 14:05:54 -0400 (EDT) From: "Brian A. Seklecki" <lavalamp@spiritual-machines.org> To: =?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-questions@freebsd.org Subject: Re: pam_rootok(8) + pam.d/sudo symlink to pam.d/su Message-ID: <20051007134804.F95280@arbitor.digitalfreaks.org> In-Reply-To: <86k6gp8fsf.fsf@xps.des.no> References: <20051007114027.Y95280@arbitor.digitalfreaks.org> <86k6gp8fsf.fsf@xps.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-831172463-1128708354=:95280 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Fri, 7 Oct 2005, Dag-Erling Smørgrav wrote: > No, unless sudo is broken. What sudo implementation are you using? PAM doesn't cache authentication information does it? This "use_first_pass" argument to modulesn't couldn't be getting in the way? You know, this would be solved by including pam.d/* templates in the pam_ldap/nss_ldap package or maintaining a web repository. Anyway, aside from ranting, Here's the deal: root@server:/root# rm -rf /var/run/sudo/* ...then: client$ ssh seklecki@server Password: Welcome to FreeBSD! seklecki@client:~$ seklecki@client:~$ su - Password: root@client:~# ^D seklecki@client:~$ sudo bash root@client:~# ^D ...not good. Now, /usr/local/etc/pam.d/sudo is a symlink to /etc/pam.d/su /etc/pam.d/su is stock, which "includes" /etc/pam.d/system, which basically mirrors /etc/pam.d/sshd (which is ideal, because SUDO isn't going to check the root password, it's going to check the user's password): # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account sufficient pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail session sufficient pam_ldap.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ~BAS > > DES > -- > Dag-Erling Smørgrav - des@des.no > > l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 --0-831172463-1128708354=:95280--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051007134804.F95280>