Root Authentication Bypass Caused by Missing PAM Configuration
This document (000021833) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server 15 GA
SUSE Linux Enterprise Server 12 SP5
Situation
A system was experiencing an issue where it could be accessed using any password.
Regardless of the input, authentication was bypassed, allowing login as the root user.
For example, random passwords such as "test", "run", and "cool" still granted access to the system as root, even though the correct password was not entered.
Resolution
To fix this issue, the following steps were performed:
-
Modify the
/etc/pam.d/common-authfile-
Added the missing authentication rule:
auth required pam_unix.so try_first_pass
-
The corrected file now contained:
Example * Original file # /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so * Modify to # /etc/pam.d/common-auth auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix.so try_first_pass
-
After applying the change, login tests confirmed that password authentication was functioning correctly again.
- If you cannot check the customer's PAM configuration, follow step 2.
-
- In SUSE Linux Enterprise Server 12 SP5 and SUSE Linux Enterprise Server15 SP2, SP3, SP4, SP5, SP6, the /etc/pam.d/common-auth file already includes the default setting: auth required pam_unix.so try_first_pass.
-
- To ensure that PAM uses UNIX-based authentication for login and other authentication processes, run the following command:
pam-config -a --unix
Cause
The issue was caused by the absence of the auth required pam_unix.so try_first_pass rule in the PAM authentication settings.
Without this rule, the system failed to validate passwords properly, allowing access to the root account without requiring the correct password.
Additional Information
Applicability to SUSE Linux Enterprise Server 15 SP6.
This issue does not apply to SUSE Linux Enterprise Server 15 SP6, as the authentication configuration in this version is designed to prevent unauthorized access by default. PAM settings in SUSE Linux Enterprise Server 15 SP6 ensure proper password validation, even without manually adding auth required pam_unix.so try_first_pass in /etc/pam.d/common-auth. This security enhancement prevents the root account from being accessible using arbitrary passwords.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021833
- Creation Date: 08-May-2025
- Modified Date:11-Jun-2025
-
- SUSE Linux Enterprise Server
- SUSE Manager Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
