[K12OSN] Huge security issue
Daniel Kuecker
kueckerd at shenandoah.k12.ia.us
Fri Feb 9 16:57:09 UTC 2007
gdm:
#%PAM-1.0
auth required pam_mount.so # use_first_pass
auth required pam_env.so
#auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_mount.so
#session required pam_mount.so
system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth optional pam_mount.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
#auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
#account sufficient pam_krb5.so
account sufficient pam_winbind.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
#password sufficient pam_krb5.so use_authok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_mount.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
#session optional pam_krb5.so
>>> Dan Young <dyoung at mesd.k12.or.us> 02/09/07 10:49 AM >>>
Daniel Kuecker wrote:
> Just when I thought I had everything going good. I have a huge
security
> issue. I just noticed that i can log into my thin clients with user
root
> and any password.
> actually, i can log in as any valid user with any password from GDM.
IF
> I try to do they same with ssh, it will only allow the correct
password.
> I have it setup to auth against ADS. I have two thin clients setup,
and
> both are allowing this. Does anyone have any suggestions? I need to
> resolve this before any students figure it out and have root
> access.....
Can you show us the contents of /etc/pam.d/gdm and
/etc/pam.d/system-auth?
--
Dan Young <dyoung at mesd.k12.or.us>
Multnomah ESD - Technology Services
503-257-1562
_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
More information about the K12OSN
mailing list