On 03/18/2013 07:02 PM, Alex wrote:
I am trying to ssh into my fc18 server as root and have the following
message in syslog:
Mar 18 18:29:20 bwipropnew sshd[12473]: pam_succeed_if(sshd:auth):
requirement "uid >= 1000" not met by user "root"
You'll see that after an auth failure for any account with uid < 1000:
Mar 18 23:11:47 vagabond unix_chkpwd[6076]: password check failed for
user (root)
Mar 18 23:11:47 vagabond sshd[6073]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Mar 18 23:11:47 vagabond sshd[6073]: pam_succeed_if(sshd:auth):
requirement "uid >= 1000" not met by user "root"
Mar 18 23:11:50 vagabond sshd[6073]: Failed password for root from ::1
port 51784 ssh2
The standard config looks like this:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
pam_env sets or unsets environment variables and succeeds.
pam_unix will process the password provided. If the password is
correct, this list will stop processing. If not...
pam_succeed_if will succeed for user accounts and then pass to pam_deny,
which causes the authentication attempt to fail.
pam_succeed_if will fail immediately for system accounts, without using
pam_deny.
If you're using LDAP or KRB5 authentication, it will appear in between
those two lines. That authentication module (pam_sss normally) will be
usable by users with uid >= 1000, but not by system user accounts.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
