Enabling UID 0 logins via LDAP or other external authentication source
Scope
This article is targeted at advanced users migrating from other Linux platforms to SUSE Linux who require UID 0 logins.
Skill Level
The methods described in this article are advanced. If you fail to follow the precautions, you will be booting into the rescue system to recover.
Security Note
There is a reason why SUSE Linux disables UID 0 logins via LDAP or any other authentication source. Quite plainly it is considered a security risk. Why? Simply put, enabling users to login in as root as an ordinary user from an external authentication source puts the risk of a security exploit external to the system in question. If the external authentication source is compromised, then EVERY system is potentially compromised. Also, the users will be logging with root privileges out of the gate. Since the *nix community in general discourages root login, enabling eternal authentication source UID 0 logins would violate this principle.
Please fully consider the implications before proceeding. Potential issues which may arise from implementing this include, but are by no means limited to:
- Legal issues
- Regulatory compliance
- Violates most best practices and industry guidelines
However, with all this said, there are some very valid reasons why one would want to implement UID 0 external authentication. It is up to you to decide and accept whether the benefits outweigh the risks.
Changes Explained
SUSE Linux uses PAM authentication for local users, and then nsswitch for LDAP users. When an LDAP user attempts to authenticate, information is passed through the PAM stack. Since the LDAP provided UID doesn’t match the name for UID 0 found /etc/passwd.
Fortunately, there is an LDAP, Winbind, and eDirectory PAM module that can handle what is needed. This guide is aimed at LDAP modules, but you can substitute the module name that you need.
Valid Modules
- pam_winbind.so: Active Directory authentication
- pam_nam.so: eDirectory authentication, installed as part of Linux User Management
- pam_ldap.so: Generic LDAP authentication module
These modules are documented in /usr/share/doc/packages/pam/modules which is installed as part of the PAM stack.
Preparation and Precautions
Please make sure to follow appropriate precautions. If you mess up the procedures and don’t test before rebooting you will have to boot up in the rescue system (since you are going to be editing the authentication stack, errors can and will prevent users, even root, from authentication remotely or at the console.)
Suggested implementation environment.
- One root terminal for implementing the changes
- One root terminal to watch /var/log/messages (tail -f /var/log/messages)
- One terminal logged in as a non-root user
- Backup the contents of /etc/pam.d and the file /etc/nsswitch.conf
The following is a recommended test procedure to validate the changes
- In the non-root terminal Window, type “su – USER” (replace USER with user you are testing)
- If it unsuccessful errors will be logged to the terminal window watching /var/log/messages
- If it is successful, type “id USER” (replace user with correct name), the UID should show as 0
- Type “su -“, and see if you logged in as root
- If any of the steps fail go back and evaluate whether you mistyped somewhere.
Changes to be made
- /etc/nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
Comment out compat sections
- /etc/pam.d/common-authChange:
auth required pam_unix2.so
To:
auth sufficient pam_unix2.so likeauth nullock
Add under pam_unix2.so declaration:
auth sufficient pam_ldap.so use_first_pass
- /etc/pam.d/common-accountChange:
account required pam_unix2.so
To:
account sufficient pam_unix2.so likeauth nullock
Add under pam_unix2.so declaration:
account sufficient pam_ldap.so use_first_pass
- /etc/pam.d/common-passwordChange:
password required pam_unix2.so
To:
password sufficient pam_unix2.so likeauth nullock
Add under pam_unix2.so declaration:
password sufficient pam_ldap.so use_first_pass
- /etc/pam.d/common-sessionChange:
session required pam_unix2.so
To:
session sufficient pam_unix2.so likeauth nullock
Add under pam_unix2.so declaration:
session sufficient pam_ldap.so use_first_pass
- /etc/ldap.conf Only for LDAP configurationsMake sure that the minimum UID is set to 0 and the max is commented
outpam_min_uid 0 #pam_max_uid 0
Concluding Thoughts
As explained this guide shows the LDAP implementation. Other authentication sources can be used.
Run SAP
SUSE for Public Cloud
Security
Comments
PAM docs are in /usr/share/doc/packages/pam/modules. The document listed the min /etc…
At least that is where I found them on SLES 10.
This is good, even if you don’t want to do this, it helps to understand the PAM system.