[K12OSN] Huge security issue

Daniel Kuecker kueckerd at shenandoah.k12.ia.us
Fri Feb 9 16:57:09 UTC 2007 

gdm:

#%PAM-1.0
auth            required                pam_mount.so # use_first_pass

auth       required    pam_env.so
#auth       include     system-auth

account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional     pam_mount.so
#session required pam_mount.so



system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        optional      pam_mount.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
#auth        sufficient    pam_krb5.so use_first_pass

auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
#account     sufficient    pam_krb5.so
account     sufficient    pam_winbind.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
#password    sufficient    pam_krb5.so use_authok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session        optional      pam_mount.so
session         required  pam_mkhomedir.so skel=/etc/skel umask=0077
#session     optional      pam_krb5.so
 
 
>>> Dan Young <dyoung at mesd.k12.or.us> 02/09/07 10:49 AM >>> 
Daniel Kuecker wrote:
> Just when I thought I had everything going good. I have a huge
security
> issue. I just noticed that i can log into my thin clients with user
root
> and any password.
> actually, i can log in as any valid user with any password from GDM.
IF
> I try to do they same with ssh, it will only allow the correct
password.
> I have it setup to auth against ADS. I have two thin clients setup,
and
> both are allowing this. Does anyone have any suggestions? I need to
> resolve this before any students figure it out and have root
> access.....

Can you show us the contents of /etc/pam.d/gdm and
/etc/pam.d/system-auth?

-- 
Dan Young <dyoung at mesd.k12.or.us>
Multnomah ESD - Technology Services
503-257-1562

_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

More information about the K12OSN mailing list