[CentOS] PAM_shield locking me out?

Tue Aug 24 19:53:33 UTC 2010
S.Tindall <tindall.satwth at brandxmail.com>

On Tue, 2010-08-24 at 14:56 -0400, Rob Kampen wrote:
> No my server is 32 bit and I think there were no seg faults in
> actuality 
> - the pam_shield module was causing a ?? response to su and sudo auth
> requests and they reported segmentation error - nothing in the logs -
> I assume that it had somehow locked my account and thus all auth
> requests to pam were being dumped. It also appeared to do the same to
> the login prompt on the console - any user entered just went back to
> the the login prompt no request for the password,
> I have thus commented out the auth line I added yesterday until I work
> out what went wrong.
> I am wondering if I entered the auth line in the wrong place??
> Anyone know where it should go?
> The instructions from the INSTALL file in the tar.gz that I used was
> not centos / rh specific.
> HTH Rob

A pam_shield-related login failure happened to me once and fixing
system-auth cured it.

It happened too long ago to remember the details, but I think the
failure was on centos 4. The thing that sticks in my mind was the
inability of any user to login from a console.

Here are the examples you requested.


Centos 4 example (64-bit):

# cat /etc/pam.d/system-auth
...
auth  required    /lib/security/$ISA/pam_env.so
auth  sufficient  /lib/security/$ISA/pam_unix.so likeauth nullok
#
auth  optional    /lib64/security/pam_shield.so
#
auth  required    /lib/security/$ISA/pam_deny.so
...


Centos 5 example:

# cat /etc/pam.d/system-auth
...
auth  required    pam_env.so
auth  sufficient  pam_unix.so nullok try_first_pass
#
auth  optional    pam_shield.so
#
auth  requisite   pam_succeed_if.so uid >= 500 quiet
auth  required    pam_deny.so
...


rhel6-beta2 example:
...
# cat /etc/pam.d/system-auth
...
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
#
auth        optional      pam_shield.so
#
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
...


Steve