Re: sudo never asks me for a password
On Fri, 2007-11-23 at 20:01 -0800, Kamil Kisiel wrote: On Nov 23, 2007 7:31 PM, Kamil Kisiel [EMAIL PROTECTED] wrote: On Nov 23, 2007 7:16 PM, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so This looks like it was copied verbatim from su. I suspect the pam_self.so is causing problems. Sudo authenticates the user for their current account, not the target account. That line will cause authentication to short-circuit on a UID match w/o any need to provide a password. Try commenting it out. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley Thanks Christopher, That's exactly the problem. Seems the previous administrator of this machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it configured as is. Somehow I never caught on to that. -- Kamil Alright, maybe my impression of success was slightly premature. It seems that the problem now is that sudo doesn't like the pam_unix.so module for whatever reason. If I use the default sudo pam file, which simply includes all settings from /etc/pam.d/system it gives me an error like the following: sudo: pam_authenticate: conversation failure what version of sudo are you using? This is the pam file from the latest verison of the port: # # $Id$ # # PAM configuration for the sudo service # # auth authinclude system # account account include system # session # XXX: pam_lastlog (used in system) causes users to appear as though # they are no longer logged in in system logs. session requiredpam_permit.so # password passwordinclude system -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudo never asks me for a password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/23/07, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I tried running sudo -k, sudo -K before trying it. I've even tried manually removing /var/run/sudo. I would check out the compile time options... 'sudo sudo -V' if you aren't already root. - -- Andy Harrison public key: 0x67518262 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFHR3FLNTm8fWdRgmIRAjmPAKCmcjfF1Ar6FSrupLHmVX6ATyB78wCcD/N9 63E+buR2pQ+nDfM7+s/235g= =ozd+ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpziZhMm0oiV.pgp Description: PGP signature
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so This looks like it was copied verbatim from su. I suspect the pam_self.so is causing problems. Sudo authenticates the user for their current account, not the target account. That line will cause authentication to short-circuit on a UID match w/o any need to provide a password. Try commenting it out. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgpFD1relxoDg.pgp Description: PGP signature
Re: sudo never asks me for a password
On Nov 23, 2007 7:31 PM, Kamil Kisiel [EMAIL PROTECTED] wrote: On Nov 23, 2007 7:16 PM, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so This looks like it was copied verbatim from su. I suspect the pam_self.so is causing problems. Sudo authenticates the user for their current account, not the target account. That line will cause authentication to short-circuit on a UID match w/o any need to provide a password. Try commenting it out. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley Thanks Christopher, That's exactly the problem. Seems the previous administrator of this machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it configured as is. Somehow I never caught on to that. -- Kamil Alright, maybe my impression of success was slightly premature. It seems that the problem now is that sudo doesn't like the pam_unix.so module for whatever reason. If I use the default sudo pam file, which simply includes all settings from /etc/pam.d/system it gives me an error like the following: sudo: pam_authenticate: conversation failure -- Kamil ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudo never asks me for a password
On Fri, Nov 23, 2007 at 08:01:23PM -0800, Kamil Kisiel wrote: Alright, maybe my impression of success was slightly premature. It seems that the problem now is that sudo doesn't like the pam_unix.so module for whatever reason. If I use the default sudo pam file, which simply includes all settings from /etc/pam.d/system it gives me an error like the following: sudo: pam_authenticate: conversation failure My /etc/pam.d/sudo file looks like: authinclude system account include system session include system I recommend you add the debug option to modules and watch the log files for more specific error messages. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley pgp4v7nFZww7o.pgp Description: PGP signature
Re: sudo never asks me for a password
On Nov 23, 2007 7:16 PM, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 07:09:36PM -0800, Kamil Kisiel wrote: On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so This looks like it was copied verbatim from su. I suspect the pam_self.so is causing problems. Sudo authenticates the user for their current account, not the target account. That line will cause authentication to short-circuit on a UID match w/o any need to provide a password. Try commenting it out. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley Thanks Christopher, That's exactly the problem. Seems the previous administrator of this machine made /etc/pam.d/sudo a link to /etc/pam.d/su and left it configured as is. Somehow I never caught on to that. -- Kamil ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: sudo never asks me for a password
On 11/23/07, Christopher Cowart [EMAIL PROTECTED] wrote: On Fri, Nov 23, 2007 at 03:43:39PM -0800, Kamil Kisiel wrote: For some reason, on this particular FreeBSD machine, sudo never asks me for a password, even if I haven't logged in for days. I've been struggling with this problem for some time but still haven't been able to find a solution. Any ideas? Maybe something is misconfigured in your pam stack? Check /etc/pam.d/sudo. -- Chris Cowart Lead Systems Administrator Network Infrastructure Services, RSSP-IT UC Berkeley Hi Christopher, /etc/pam.d/sudo looks like this: # # $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $ # # PAM configuration for the su service # # auth authsufficient pam_rootok.so no_warn authsufficient pam_self.so no_warn authrequisite pam_group.sono_warn group=wheel root_only fail_safe authinclude system # account account include system # session session requiredpam_permit.so -- Kamil ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]