Lost ability to sudo after modifying pam module

pamrhelsudo

On one of our RHEL6 servers I made a change to /etc/pam/d/system-auth and password-auth then after rebooting lost the ability to sudo and su. Specifically I changed this line:

auth        sufficient      pam_unix.so  try_first_pass

to this:

auth        optional      pam_unix.so  try_first_pass

I can still ssh to the server and get in with a standard user account however I have no rights to make any changes to any files so I can reverse this. This server is also a VM. Is there anything I can do? Any PAM tricks out there?

Best Answer

If you've locked yourself out of the root account, you'll need to use physical access. There are two approaches:

Reboot the system. At the prompt from the bootloader (e.g. Grub), request a root shell. You may need to press a key to make the bootloader prompt appear; with Grub, you typically need to press and hold Shift. Edit the kernel command line, i.e. the line that starts with linux, to add init=/bin/sh at the end. Boot, and you'll get a root shell. Use this to fix whatever configuration file needs fixing. This method requires access to the console and a bootloader that isn't locked up.
Power off the system. Take out the hard disk, plug it into another machine, and mount the system partition. Edit whatever configuration file needs fixing. This method requires access to the machine's storage.

Since your system is running in a virtual machine, the “physical” access is in fact access to the account on the host system that's running the virtual machine. Rebooting and accessing the console is a straightforward analog of the physical case. Accessing the disk can be done with virtual machine software. Here are some methods:

Use guestfs tools, specifically guestmount. Something like this should work:
```
guestmount -a /path/to/vm.img -m /dev/sda1 ~/mnt
```

Expose the VM image as a network boot device:

qemu-nbd -c /dev/nbd0 /path/to/vm.img
mount /dev/nbd0p1 /mnt

Related Solutions

Custom PAM modules and security considerations

When you call into Linux-PAM for some authentication procedure, there is always one and only one stack that is run.

The stack definition is looked up in these places; the first successful attempt determines which file is read:

the file in /etc/pam.d named after the application "service name" (e.g., sshd or gdm), or
the file /etc/pam.d/other if no service-specific file exists, or
the file /etc/pam.conf if directory /etc/pam.d does not exist.

See the documentation for function pam_start for details.

The common-* files are a convention followed by many Linux distributions but are not mandated by the PAM software itself. They are usually included by other PAM files by means of @include statements; for instance the /etc/pam.d/other file on Debian has the following content:

# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session

The same @include statements may be used by service-specific file as well, and -indeed- they are in the default configuration on Debian. Note that this is a matter of configuration: a sysadmin is free to change the file in /etc/pam.d not to include any common-* files at all!

Therefore: if your PAM module is specific to your application, create an application-specific service file and call the module from there. Do not automatically add a module to other services' PAM file nor to the fall-back others file, as this may break other applications installed on the system. Management of the PAM software stack is a task for the system administrator, not for the application developers.

Ssh – Piping tcpdump traffic via SSH – but no root ssh access

You can run this command via sudo on the server to capture the data first, and then send the resulting file back to your workstation to review the data

sudo tcpdump -i eth0 -s 65535 -w /tmp/wireshark

Best Answer

Related Solutions

Custom PAM modules and security considerations

Ssh – Piping tcpdump traffic via SSH – but no root ssh access

Related Question