Scope

This article is targeted at advanced users migrating from other Linux platforms to SUSE Linux who require UID 0 logins.

Skill Level

The methods described in this article are advanced. If you fail to follow the precautions, you will be booting into the rescue system to recover.

Security Note

There is a reason why SUSE Linux disables UID 0 logins via LDAP or any other authentication source. Quite plainly it is considered a security risk. Why? Simply put, enabling users to login in as root as an ordinary user from an external authentication source puts the risk of a security exploit external to the system in question. If the external authentication source is compromised, then EVERY system is potentially compromised. Also, the users will be logging with root privileges out of the gate. Since the *nix community in general discourages root login, enabling eternal authentication source UID 0 logins would violate this principle.

Please fully consider the implications before proceeding. Potential issues which may arise from implementing this include, but are by no means limited to:

  • Legal issues
  • Regulatory compliance
  • Violates most best practices and industry guidelines

However, with all this said, there are some very valid reasons why one would want to implement UID 0 external authentication. It is up to you to decide and accept whether the benefits outweigh the risks.

Changes Explained

SUSE Linux uses PAM authentication for local users, and then nsswitch for LDAP users. When an LDAP user attempts to authenticate, information is passed through the PAM stack. Since the LDAP provided UID doesn’t match the name for UID 0 found /etc/passwd.

Fortunately, there is an LDAP, Winbind, and eDirectory PAM module that can handle what is needed. This guide is aimed at LDAP modules, but you can substitute the module name that you need.

Valid Modules

  • pam_winbind.so: Active Directory authentication
  • pam_nam.so: eDirectory authentication, installed as part of Linux User Management
  • pam_ldap.so: Generic LDAP authentication module

These modules are documented in /usr/share/doc/packages/pam/modules which is installed as part of the PAM stack.

Preparation and Precautions

Please make sure to follow appropriate precautions. If you mess up the procedures and don’t test before rebooting you will have to boot up in the rescue system (since you are going to be editing the authentication stack, errors can and will prevent users, even root, from authentication remotely or at the console.)

Suggested implementation environment.

  • One root terminal for implementing the changes
  • One root terminal to watch /var/log/messages (tail -f /var/log/messages)
  • One terminal logged in as a non-root user
  • Backup the contents of /etc/pam.d and the file /etc/nsswitch.conf

The following is a recommended test procedure to validate the changes

  1. In the non-root terminal Window, type “su – USER” (replace USER with user you are testing)
  2. If it unsuccessful errors will be logged to the terminal window watching /var/log/messages
  3. If it is successful, type “id USER” (replace user with correct name), the UID should show as 0
  4. Type “su -“, and see if you logged in as root
  5. If any of the steps fail go back and evaluate whether you mistyped somewhere.

Changes to be made

MAKE SURE THAT PAM_UNIX.SO IS ALWAYS FIRST, OTHERWISE ROOT COULD AUTHENTICATE AGAINST A USER NAMED ROOT IN LDAP. THIS WOULD BE BAD.
  1. /etc/nsswitch.conf
      passwd: files ldap
      shadow: files ldap
      group: files ldap

    Comment out compat sections

  2. /etc/pam.d/common-authChange:
      auth    required    pam_unix2.so

    To:

      auth    sufficient    pam_unix2.so    likeauth    nullock

    Add under pam_unix2.so declaration:

      auth     sufficient    pam_ldap.so    use_first_pass
  3. /etc/pam.d/common-accountChange:
      account    required    pam_unix2.so

    To:

      account    sufficient    pam_unix2.so    likeauth    nullock

    Add under pam_unix2.so declaration:

      account    sufficient    pam_ldap.so    use_first_pass
  4. /etc/pam.d/common-passwordChange:
      password    required    pam_unix2.so

    To:

      password    sufficient    pam_unix2.so    likeauth    nullock

    Add under pam_unix2.so declaration:

      password     sufficient    pam_ldap.so    use_first_pass
  5. /etc/pam.d/common-sessionChange:
      session    required    pam_unix2.so

    To:

      session    sufficient    pam_unix2.so    likeauth    nullock

    Add under pam_unix2.so declaration:

      session     sufficient    pam_ldap.so    use_first_pass
  6. /etc/ldap.conf Only for LDAP configurationsMake sure that the minimum UID is set to 0 and the max is commented
    out

      pam_min_uid 0
      #pam_max_uid 0

Concluding Thoughts

As explained this guide shows the LDAP implementation. Other authentication sources can be used.

(Visited 1 times, 1 visits today)
Tags: , ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Wednesday, 25 June, 2008 at 12:46 pm
You can follow any responses to this entry via RSS.

Comments

  • tse7147 says:

    PAM docs are in /usr/share/doc/packages/pam/modules. The document listed the min /etc…

    At least that is where I found them on SLES 10.

    This is good, even if you don’t want to do this, it helps to understand the PAM system.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *