RHEL 6.1 - Root Logs Into GDM
Mr. Paul M. Whitney
paul.whitney at me.com
Fri Aug 26 23:29:01 UTC 2011
I am confused. I was under the impression that by "DEFAULT" root was not permitted to login to GDM/GNOME. And yet I am able to do so on a "vanilla" build.
My /etc/pam.d/gdm:
<SNIP>
#%PAM-1.0
auth required pam_env.so
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
</SNIP>
My /etc/pam.d/gdm-password:
<SNIP>
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth include password-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include password-auth
password substack password-auth
password optional pam_gnome_keyring.so
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include password-auth
</SNIP>
Is there something overriding these settings?
My /etc/pam.d/system-auth-ac:
<SNIP>
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_tally2.so deny=3 onerr=fail unlock_time=600
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password required pam_passwdqc.so enforce=users
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
</SNIP>
My /etc/pam.d/password-auth-ac:
<SNIP>
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=600
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password required pam_passwdqc.so enforce=users
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
</SNIP>
I have looked all around and am not getting anything "solid" on Internet. SNAC guide provides little detail on configuring PAM. Red Hat and CENT OS even less.
Thanks in advance for your time,
Paul W.
More information about the redhat-list
mailing list