# [solved]: su gives me root with wrong or empty password

## jgruen

I typed su today, then CTRL+C, because I did not mean to.  It dropped me to a root prompt.  I exited, typed su, then typed some random garbage and it gave me the root prompt.  I Google'd, but I cannot formulate this in a way that produces anything relevant. I assume I must have something messed up in PAM.  I have LDAP authentication for all logins and Google Authenticator on SSH sessions.  root should not be an LDAP account, but it does hit me that I did not ensure that no root object was in LDAP.  Maybe one made it and it has no password or something is messed up there and giving the OK to every login.

I just tried to test that last thought.  I su'd to another account, typed garbage and it let me right in.  An account with wheel access still cannot get elevated to root, but I can log in to a console without typing my correct password.  Thankfully I have 2FA on SSH, but I am at a loss what I am missing here.  I will go digging in PAM, but if you have any thoughts, I would really appreciate them.

Thank you in advance.Last edited by jgruen on Mon Oct 14, 2013 1:05 pm; edited 1 time in total

----------

## Hu

Since you suspect PAM, please post the output of cat -n pam-configuration-file for all relevant PAM files.  We can review them against a machine which does not exhibit this behaviour.  You may also find it useful to use equery check to identify any PAM files that are different from what Gentoo installs by default.

----------

## jgruen

Thank you for the response and sorry for the delay in getting back. (Fixed my attempts at pasting.  I might have been tired enough to pasted the same thing 3 times.)

system-auth:

```
     1  auth            required        pam_env.so 

     2  auth            sufficient      pam_ldap.so use_first_pass 

     3  auth            sufficient      pam_unix.so try_first_pass likeauth nullok 

     4  auth            optional        pam_permit.so

     5   

     6  account         sufficient      pam_ldap.so

     7  account         required        pam_unix.so 

     8  account         optional        pam_permit.so

     9   

    10  password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

    11  password        sufficient      pam_ldap.so use_authtok use_first_pass

    12  password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

    13  password        optional        pam_permit.so

    14   

    15  session         required        pam_limits.so 

    16  session         required        pam_env.so 

    17  session         required        pam_unix.so 

    18  session         optional        pam_permit.so

    19  session         optional        pam_ldap.so

```

system-login:

```
     1  auth            required        pam_tally2.so onerr=succeed

     2  auth            required        pam_shells.so 

     3  auth            required        pam_nologin.so 

     4  auth            include         system-auth

     5   

     6  account         required        pam_access.so 

     7  account         required        pam_nologin.so 

     8  account         include         system-auth

     9  account         required        pam_tally2.so onerr=succeed 

    10   

    11  password        include         system-auth

    12   

    13  session         optional        pam_loginuid.so

    14  session         required        pam_env.so 

    15  session         optional        pam_lastlog.so 

    16  session         include         system-auth

    17  session         optional        pam_ck_connector.so nox11

    18  session         optional        pam_motd.so motd=/etc/motd

    19  session         optional        pam_mail.so

    20    

```

sshd

```
     1  auth       required     pam_google_authenticator.so

     2

     3  auth       include      system-remote-login

     4  account    include      system-remote-login

     5  password   include      system-remote-login

     6  session    include      system-remote-login

```

I am guessing there may be an issue in the system-auth, as everything ends up there.  Though I cannot rule out system-login.  Those files have not changed for over a year and I do not think this was an issue a month ago.  I add radiusd at the beginning of September, but it was for a firewall and not being used for authentication on the server, so it did not change the system pam files:

```

-rw-r--r--   1 root root   328 Sep  2 12:08 radiusd

-rw-r--r--   1 root root   160 Apr 30 23:21 saslauthd

-rw-r--r--   1 root root    77 Aug  8  2012 screen

-rw-r--r--   1 root root   152 May 12 21:17 shadow

-rw-r--r--   1 root root   109 May  9 08:46 sieve

-rw-r--r--   1 root root   106 May  9 08:45 smtp

-rw-r--r--   1 root root   203 Jun 26 11:14 sshd

-rw-r--r--   1 root root    63 Mar 23  2013 start-stop-daemon

-rw-r--r--   1 root root  1059 May 12 21:17 su

-rw-r--r--   1 root root   671 Aug 12  2012 system-auth

-rw-r--r--   1 root root   121 Aug  7  2012 system-local-login

-rw-r--r--   1 root root   579 Aug  7  2012 system-login

-rw-r--r--   1 root root   121 Aug  7  2012 system-remote-login

-rw-r--r--   1 root root   235 Aug  7  2012 system-services

```

equery check sys-libs/*

```
* Checking sys-libs/cracklib-2.8.19 ...

   36 out of 36 files passed

* Checking sys-libs/db-4.8.30 ...

   43 out of 43 files passed

* Checking sys-libs/e2fsprogs-libs-1.42.7 ...

   35 out of 35 files passed

* Checking sys-libs/gdbm-1.8.3-r4 ...

   28 out of 28 files passed

* Checking sys-libs/glibc-2.15-r3 ...

!!! /etc/locale.gen has incorrect MD5sum

!!! /etc/nsswitch.conf has incorrect MD5sum

   1799 out of 1801 files passed

* Checking sys-libs/gpm-1.20.6 ...

!!! /etc/conf.d/gpm has wrong mtime (is 1367854406, should be 1340325382)

   54 out of 55 files passed

* Checking sys-libs/libavc1394-0.5.4 ...

   32 out of 32 files passed

* Checking sys-libs/libcap-2.22 ...

   60 out of 60 files passed

* Checking sys-libs/libcap-ng-0.6.6 ...

   56 out of 56 files passed

* Checking sys-libs/libieee1284-0.2.11-r2 ...

   68 out of 68 files passed

* Checking sys-libs/libraw1394-2.0.8 ...

   30 out of 30 files passed

* Checking sys-libs/libseccomp-1.0.1 ...

   33 out of 33 files passed

* Checking sys-libs/libutempter-1.1.5 ...

   17 out of 17 files passed

* Checking sys-libs/mtdev-1.1.3 ...

   18 out of 18 files passed

* Checking sys-libs/ncurses-5.9-r2 ...

   3675 out of 3675 files passed

* Checking sys-libs/pam-1.1.6-r2 ...

   355 out of 355 files passed

* Checking sys-libs/readline-6.2_p1 ...

   61 out of 61 files passed

* Checking sys-libs/timezone-data-2013b ...

   1845 out of 1845 files passed

* Checking sys-libs/zlib-1.2.7 ...

   38 out of 38 files passed

```

Since it brought up nsswitch.conf:

```
     1  #ident $Id: nsswitch.ldap,v 2.4 2003/10/02 02:36:25 lukeh Exp $

     2  #

     3  # An example file that could be copied over to /etc/nsswitch.conf; it

     4  # uses LDAP conjunction with files.

     5  #

     6  # "hosts:" and "services:" in this file are used only if the

     7  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

     8

     9  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

    10  passwd:         files ldap

    11  group:          files ldap

    12

    13  # consult files/dns first, we will need it to resolve the LDAP host. (If we

    14  # can't resolve it, we're in infinite recursion, because libldap calls

    15  # gethostbyname(). Careful!)

    16  hosts:          files dns #ldap

    17

    18  # LDAP is nominally authoritative for the following maps.

    19  services:   files

    20  networks:   files

    21  protocols:  files

    22  rpc:        files

    23  ethers:     files

    24

    25  # no support for netmasks, bootparams, publickey yet.

    26  netmasks:   files

    27  bootparams: files

    28  publickey:  files

    29  automount:  files

    30

    31  # I'm pretty sure nsswitch.conf is consulted directly by sendmail,

    32  # here, so we can't do much here. Instead, use bbense's LDAP

    33  # rules ofr sendmail.

    34  aliases:    files

    35  sendmailvars:   files

    36

    37  # Note: there is no support for netgroups on Solaris (yet)

    38  netgroup:   files

  
```

Hopefully someone spots something.  Despite my delay in getting back, this is bothering me a lot and if not for a mountain of other issues, I would be on it.

Thank you again and I much appreciate any thought on this issue.

----------

## jgruen

I do not know if this helps, but here is the messages I get when I do an su and press enter:

```
Oct 10 23:21:49 [su] pam_unix(su:auth): authentication failure; logname=xxmy_userxx uid=1001 euid=0 tty=/dev/pts/1 ruser=xxmy_userxx rhost=  user=root

Oct 10 23:21:49 [su] Successful su for root by xxmy_userxx

Oct 10 23:21:49 [su] + /dev/pts/1 xxmy_userxx:root

Oct 10 23:21:49 [su] pam_unix(su:session): session opened for user root by xxmy_userxx(uid=1001)
```

I do not think it is an su problem, as I can log in to a bash console, Display Manager and SSH (providing my correct Auth Token) without using any password.

Here is a login at tty2:

```
Oct 10 23:26:43 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=xxmy_userxx

Oct 10 23:26:43 [login] pam_unix(login:session): session opened for user xxmy_userxx by LOGIN(uid=0)
```

----------

## PaulBredbury

You should have a /etc/pam.d/su file - here's an example:

```
#%PAM-1.0

auth        sufficient  pam_rootok.so

# http://forums.gentoo.org/viewtopic-p-7112394.html#7112394

# Uncomment the following line to implicitly trust users in the "wheel" group

auth        sufficient  pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group

auth        required    pam_wheel.so use_uid

auth        include     system-auth

account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet

account     include     system-auth

password    include     system-auth

session     include     system-auth

session     optional    pam_xauth.so
```

----------

## jgruen

It is not limited to su, though that is where I first discovered the issue and therefore named this post.

Here is my /etc/pam.d/su:

```
     1  #%PAM-1.0

     2

     3  auth       sufficient   pam_rootok.so

     4

     5  # If you want to restrict users begin allowed to su even more,

     6  # create /etc/security/suauth.allow (or to that matter) that is only

     7  # writable by root, and add users that are allowed to su to that

     8  # file, one per line.

     9  #auth       required     pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow

    10

    11  # Uncomment this to allow users in the wheel group to su without

    12  # entering a passwd.

    13  #auth       sufficient   pam_wheel.so use_uid trust

    14

    15  # Alternatively to above, you can implement a list of users that do

    16  # not need to supply a passwd with a list.

    17  #auth       sufficient   pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass

    18

    19  # Comment this to allow any user, even those not in the 'wheel'

    20  # group to su

    21  auth       required     pam_wheel.so use_uid

    22

    23  auth       include              system-auth

    24

    25  account    include              system-auth

    26

    27  password   include              system-auth

    28

    29  session    include              system-auth

    30  session    required     pam_env.so

    31  session    optional             pam_xauth.so

    32
```

Here is me logging in via SSH.  It did not like my 2FA token the first time and rejected me, the 2nd attempt, it let me in.  Both times my password was incorrect.

```
Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Version;Remote: 192.168.xx.xx-65469;Protocol: 2.0;Client: PuTTY_Release_0.60

Oct 11 08:23:08 [sshd] SSH: Server;Ltype: Kex;Remote: 192.168.xx.xx-65469;Enc: aes256-ctr;MAC: hmac-sha1;Comp: none [preauth]

Oct 11 08:23:14 [sshd] SSH: Server;Ltype: Authname;Remote: 192.168.xx.xx-65469;Name: xxmy_userxx [preauth]

Oct 11 08:23:22 [sshd(pam_google_authenticator)] Invalid verification code

Oct 11 08:23:24 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx  user=xxmy_userxx

Oct 11 08:23:26 [sshd] error: PAM: Cannot make/remove an entry for the specified session for xxmy_userxx from 192.168.xx.xx

Oct 11 08:23:48 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.xx.xx  user=xxmy_userxx

Oct 11 08:23:48 [sshd] Accepted keyboard-interactive/pam for xxmy_userxx from 192.168.xx.xx port 65469 ssh2

Oct 11 08:23:48 [sshd] pam_unix(sshd:session): session opened for user xxmy_userxx by (uid=0)
```

Is there some more debugging I can turn on? I am going to research that, as I have time.  Not sure I have a good direction to go here, but that might turn up something. Thank you.

----------

## jgruen

In trying to troubleshoot this further, even SASL authenticating against the LDAP tree authenticates successfully with the wrong password.  I did, since my last post, upgrade OpenLDAP, as it is segfaulting whenever I try to delete or change information.  At least with the latest PHPLDAPAdmin or ldapdelete.  It still segfaults after the update.

```
[577421.967659] slapd[20590]: segfault at 7fb42aee25a7 ip 00007fb32a414362 sp 00007fb30ee94520 error 6 in libdb-4.8.so[7fb32a2c5000+190000]
```

That is probably a different issue and different ticket. But it does seem that at the LDAP layer, authentication is working properly.  If I type in the wrong password, it gives me "Invalid Credentials (49)".  So despite the OpenLDAP issues, it seems to be an issue with SASL and PAM.  Seems unlikely to be both. I am just not sure what is the common piece, other than they both authenticate against LDAP.

I am learning a lot about PAM in the process. I never really paid it much attention, but it now strikes me that it is one more place I can really lock down the authentication on my box... Once I get it so it does not authenticate every password.

----------

## jgruen

I upgraded sys-libs/pambase and replaced most, but not all, of my pam scripts.  I also remerged sys-libs/pam and upgraded sys-apps/shadow.  The issue seems to be resolved.  All the authentication that I have tested so far seems to be working.  I am going to leave this out for a day and try and thoroughly test all scenarios and then I will mark it solved.  In case it was the system-auth file, here is the new one:

```
auth            required        pam_env.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            optional        pam_permit.so

account         required        pam_unix.so

account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocre$

password        required        pam_unix.so try_first_pass use_authtok nullok s$

password        optional        pam_permit.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so

```

----------

## Hu

Your working configuration is missing pam_ldap.so.  Given your other comments about OpenLDAP problems, perhaps it was improperly returning success in some error case.

----------

## jgruen

I learned in my research, that with NSS setup for LDAP and 'getent shadow' returning all of the LDAP users, I really do not need to tie PAM to LDAP.  I do wonder if there is a version mismatch and that something might be generating an error, but on error, it is giving a success message.  I am going to rebuild sys-auth/pam_ldap, as it has not been reinstalled since 8/11/2012, and test it, just because I am curious.  I am not sure when I will get to it.  I had hoped today, but the day is already too packed.

Everything does seem to be working as it should.  Thank you for all of your thoughts on the matter.

----------

