0

I have my CentOS 6 system configured to use sssd with ldap provider. I am able to login and use sudo, however /var/log/secure always reports authentication failure:

Sep 18 07:09:52 serverA sudo: pam_unix(sudo:auth): authentication failure; logname=exampleuser uid=10000 euid=0 tty=/dev/pts/1 ruser=exampleuser rhost=  user=exampleuser
Sep 18 07:09:52 serverA sudo: pam_sss(sudo:auth): authentication success; logname=exampleuser uid=10000 euid=0 tty=/dev/pts/1 ruser=exampleuser rhost=  user=exampleuser

This is causing false positives in my SIEM. I think the issue is with pam. I configured it using authconfig. Is there a way to configure pam to not check /etc/passwd for ldap users (say users above X uid) or another solution to this problem?

Python Novice
  • 351
  • 1
  • 5
  • 13

2 Answers2

3

Try to put this row at the beginning of your /etc/pam.d/sshd file.

auth       sufficient   pam_sss.so
Izzy
  • 795
  • 2
  • 8
  • 31
  • On RHEL/CentOS 6, includes are used in /etc/pam.d/sshd to pull in settings /etc/pam.d/system-auth-ac, so the change should not be made there. Furthermore, this file handles sshd, but if you look at my log its sudo where the problem lies. – Python Novice Sep 19 '15 at 01:25
1

Gabriele and mkzero were on the right track.

Did some research and was able to find a solution. /etc/pam.d/sudo (shown above) and /etc/pam.d/sshd are the two sources which will generate double log messages like this. By default, pam tries to authenticate first using pam_unix.so, and if it fails it tries pam_sss.so. They both use includes to pull in settings from two other pam files. To get rid of this error, the order has to be changed in two files:

  • /etc/pam.d/password-auth-ac
  • /etc/pam.d/system-auth-ac

Replaced auth section with:

auth        required      pam_env.so
auth        sufficient    pam_sss.so
auth        requisite     pam_succeed_if.so uid < 20000 quiet
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_deny.so`

pam_succeed_if.so is set to not use pam_unix for users with uids above 20000 which my ldap users are. If you leave this out, you will still see two authentication log messages from both pam_sss and pam_unix.

Python Novice
  • 351
  • 1
  • 5
  • 13