PAM touching shadow?
Jason Gerfen
jason.gerfen at scl.utah.edu
Mon Jul 19 13:49:37 UTC 2004
The applications which use PAM (depending on what distro your using are
located in the /etc/pam.conf or /etc/pam.d/<name of applicaiton>), will
always verify credentials using the /etc/passwd and /etc/shadow files.
You may be able to configure your X-display to use various options for
allowing the user to keep their screensaver lock by adding something
like the following to your x display subsystem
XDM or GDM (files which use PAM in the /etc/pam.d)
auth required pam_unix.so use_authtok no_warn use_first_pass
auth required pam_unix2.so use_authtok no_warn use_first_pass
session required pam_unix.so use_authtok no_warn use_first_pass
account required pam_unix.so use_authtok no_warn use_first_pass
password required pam_unix.so use_authtok no_warn use_first_pass
# Since I am not sure which section (auth, session, account or password)
is actually being called once the user logs back in after unlocking the
screensaver I would try the listed options to prevent unnessecary events
to the auditor
the four options i listed for each section of of the pam_unix.so module
might prevent your issue
no_warn
use_first_pass
use_mapped_pass
use_authtok
Hope this helps...
Eric Reischer wrote:
>Precisely; however it is trying to open /etc/shadow *as the logged-in
>user*, not root. This is what's throwing the errors in the audit log.
>
>Eric
>
>*********************************************************************
>Eric Reischer emr at engr.de.psu.edu
>"The most beautiful thing we can experience
>is the mysterious." -- Albert Einstein
>*********************************************************************
>
>
>On Mon, 19 Jul 2004, Igmar Palsenberg wrote:
>
>
>
>>>Unfortunately,
>>>however, our workstations running xscreensaver have SNARE reporting that
>>>the (non-root) logged-in user unsuccessfully attempts to touch the
>>>/etc/shadow file, with timestamps that correspond to the exact times that
>>>the user unlocks the window via xscreensaver.
>>>
>>>
>>Sound logical to me : xscreensaver needs to verify the user's password,
>>let's PAM handle that, and PAM needs to open /etc/shadow to verify the
>>actual hashes.
>>
>>
>>
>>>I have narrowed it down to PAM (I think), as I've recompiled xscreensaver
>>>with absolutely no passwd references; only the PAM libraries compiled in,
>>>and the problem still presents itself. Does anyone know if PAM is making
>>>this call at some point, and if so, what is the reason behind it? Is PAM
>>>just doing a sanity permission check on the shadow file?
>>>
>>>
>>It's probably opening it.
>>
>>
>>
>> Igmar
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>
>
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
>
>
--
Jason Gerfen
Student Computing Group
Marriott Library
University of Utah
(801) 585-9810
jason.Gerfen at scl.utah.edu
"...Sometimes I just yell at myself. And it
makes me sad, sometimes I make myself cry..."
~ My nephew Dawsyn
More information about the Pam-list
mailing list