PAM tweaks to enable login with blank password from console on CentOS 7.6.1810 Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionPAM login permission deniedpam: action on (unsuccessful) loginHowto Tell if a System authenticate with password only or through PAMUnable to login with password as well as otp in pam moduleUsing pam_listfile.so with radius authenticationUse multiple PAM login methods at once?How to local user login(PAM) with MySQL?PAM: Sequences in Linux Login Password Being Flagged UnexpectedlyPAM: Authentication failure, with valid passwordsetting sudo password different from login password
How to recreate this effect in Photoshop?
What happens to sewage if there is no river near by?
What is a Meta algorithm?
Stars Make Stars
List *all* the tuples!
How do I keep my slimes from escaping their pens?
Why does Python start at index -1 when indexing a list from the end?
Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?
Right-skewed distribution with mean equals to mode?
Is the address of a local variable a constexpr?
What causes the vertical darker bands in my photo?
What does the "x" in "x86" represent?
What is the longest distance a 13th-level monk can jump while attacking on the same turn?
Why is "Consequences inflicted." not a sentence?
Using et al. for a last / senior author rather than for a first author
How does a Death Domain cleric's Touch of Death feature work with Touch-range spells delivered by familiars?
Does accepting a pardon have any bearing on trying that person for the same crime in a sovereign jurisdiction?
ListPlot join points by nearest neighbor rather than order
Is the Standard Deduction better than Itemized when both are the same amount?
What do you call a plan that's an alternative plan in case your initial plan fails?
Proof involving the spectral radius and Jordan Canonical form
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
Gastric acid as a weapon
Is there a documented rationale why the House Ways and Means chairman can demand tax info?
PAM tweaks to enable login with blank password from console on CentOS 7.6.1810
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionPAM login permission deniedpam: action on (unsuccessful) loginHowto Tell if a System authenticate with password only or through PAMUnable to login with password as well as otp in pam moduleUsing pam_listfile.so with radius authenticationUse multiple PAM login methods at once?How to local user login(PAM) with MySQL?PAM: Sequences in Linux Login Password Being Flagged UnexpectedlyPAM: Authentication failure, with valid passwordsetting sudo password different from login password
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am writing an application that forces the user to change his password after the first login. I set a blank password for this admin
user with
passwd -d admin
and verified that no password was set in /etc/shadow
# grep admin /etc/shadow
admin::17834:0:99999:7:::
However, my attempts to login from the console (not ssh) all fail. Can one or more rules in /etc/pam.d/*
be tweaked to allow this login? I had once built a debug version of pam and replaced the default library with it (in a custom ISO) to understand which rules were being invoked but it generated humongous amount of log messages.
UPDATE:
I (force-)installed a PAM RPM built with debugging enabled and captured all logs pertinent to a login attempt from the console:
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_user(380)] completed
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Error in service module
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=3 retval=3
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(100)] skipping substack handler
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=25 retval=25
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 0
[pam_delay.c:pam_fail_delay(153)] resetting largest delay
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_unix_auth.c:pam_sm_authenticate(112)] called.
[support.c:_set_ctrl(139)] called.
[support.c:_set_ctrl(146)] IAMROOT
[support.c:_set_ctrl(279)] done.
[pam_item.c:pam_get_user(281)] called.
[support.c:_unix_blankpasswd(680)] called
[support.c:_unix_read_password(888)] called
[pam_item.c:pam_get_item(179)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='OFF', prompt='Password: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_item(179)] called.
[pam_unix_auth.c:pam_sm_authenticate(175)] user=admin, password=[]
[support.c:_unix_verify_password(730)] called
[support.c:_unix_verify_password(734)] setting delay
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[support.c:_unix_verify_password(741)] locating user's record
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[support.c:_unix_verify_password(755)] running helper binary
[support.c:_unix_run_helper_binary(544)] called.
[passverify.c:verify_pwd_hash(74)] called
[passverify.c:verify_pwd_hash(84)] user has empty password - access denied
[passverify.c:verify_pwd_hash(133)] done [7].
[support.c:_unix_run_helper_binary(662)] returning 7
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[support.c:_unix_verify_password(867)] done [7].
[pam_unix_auth.c:pam_sm_authenticate(181)] recording return code for next time [7]
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_unix_auth.c:pam_sm_authenticate(181)] done. [Authentication failure]
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Authentication failure
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-3 cached_retval=7 retval=7
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-4 cached_retval=25 retval=25
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_await_timer(90)] waiting?...
[pam_delay.c:_pam_compute_delay(76)] random number: base=2000000 -> ans=1674256
[pam_delay.c:_pam_await_timer(114)] will wait 1674256 usec
[pam_delay.c:_pam_reset_timer(27)] setting pamh->fail_delay.set to FALSE
[pam_delay.c:_pam_await_timer(126)] waiting done
[pam_auth.c:pam_authenticate(39)] pam_authenticate exit
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(196)] returning user=admin
[pam_item.c:pam_set_item(31)] called
[pam_auth.c:pam_authenticate(18)] pam_authenticate called
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
Looking at the source, a check in modules/pam_unix/passverify.c
(must be pam_unix.so
) is tripping
authentication pam
add a comment |
I am writing an application that forces the user to change his password after the first login. I set a blank password for this admin
user with
passwd -d admin
and verified that no password was set in /etc/shadow
# grep admin /etc/shadow
admin::17834:0:99999:7:::
However, my attempts to login from the console (not ssh) all fail. Can one or more rules in /etc/pam.d/*
be tweaked to allow this login? I had once built a debug version of pam and replaced the default library with it (in a custom ISO) to understand which rules were being invoked but it generated humongous amount of log messages.
UPDATE:
I (force-)installed a PAM RPM built with debugging enabled and captured all logs pertinent to a login attempt from the console:
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_user(380)] completed
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Error in service module
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=3 retval=3
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(100)] skipping substack handler
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=25 retval=25
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 0
[pam_delay.c:pam_fail_delay(153)] resetting largest delay
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_unix_auth.c:pam_sm_authenticate(112)] called.
[support.c:_set_ctrl(139)] called.
[support.c:_set_ctrl(146)] IAMROOT
[support.c:_set_ctrl(279)] done.
[pam_item.c:pam_get_user(281)] called.
[support.c:_unix_blankpasswd(680)] called
[support.c:_unix_read_password(888)] called
[pam_item.c:pam_get_item(179)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='OFF', prompt='Password: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_item(179)] called.
[pam_unix_auth.c:pam_sm_authenticate(175)] user=admin, password=[]
[support.c:_unix_verify_password(730)] called
[support.c:_unix_verify_password(734)] setting delay
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[support.c:_unix_verify_password(741)] locating user's record
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[support.c:_unix_verify_password(755)] running helper binary
[support.c:_unix_run_helper_binary(544)] called.
[passverify.c:verify_pwd_hash(74)] called
[passverify.c:verify_pwd_hash(84)] user has empty password - access denied
[passverify.c:verify_pwd_hash(133)] done [7].
[support.c:_unix_run_helper_binary(662)] returning 7
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[support.c:_unix_verify_password(867)] done [7].
[pam_unix_auth.c:pam_sm_authenticate(181)] recording return code for next time [7]
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_unix_auth.c:pam_sm_authenticate(181)] done. [Authentication failure]
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Authentication failure
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-3 cached_retval=7 retval=7
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-4 cached_retval=25 retval=25
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_await_timer(90)] waiting?...
[pam_delay.c:_pam_compute_delay(76)] random number: base=2000000 -> ans=1674256
[pam_delay.c:_pam_await_timer(114)] will wait 1674256 usec
[pam_delay.c:_pam_reset_timer(27)] setting pamh->fail_delay.set to FALSE
[pam_delay.c:_pam_await_timer(126)] waiting done
[pam_auth.c:pam_authenticate(39)] pam_authenticate exit
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(196)] returning user=admin
[pam_item.c:pam_set_item(31)] called
[pam_auth.c:pam_authenticate(18)] pam_authenticate called
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
Looking at the source, a check in modules/pam_unix/passverify.c
(must be pam_unix.so
) is tripping
authentication pam
add a comment |
I am writing an application that forces the user to change his password after the first login. I set a blank password for this admin
user with
passwd -d admin
and verified that no password was set in /etc/shadow
# grep admin /etc/shadow
admin::17834:0:99999:7:::
However, my attempts to login from the console (not ssh) all fail. Can one or more rules in /etc/pam.d/*
be tweaked to allow this login? I had once built a debug version of pam and replaced the default library with it (in a custom ISO) to understand which rules were being invoked but it generated humongous amount of log messages.
UPDATE:
I (force-)installed a PAM RPM built with debugging enabled and captured all logs pertinent to a login attempt from the console:
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_user(380)] completed
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Error in service module
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=3 retval=3
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(100)] skipping substack handler
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=25 retval=25
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 0
[pam_delay.c:pam_fail_delay(153)] resetting largest delay
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_unix_auth.c:pam_sm_authenticate(112)] called.
[support.c:_set_ctrl(139)] called.
[support.c:_set_ctrl(146)] IAMROOT
[support.c:_set_ctrl(279)] done.
[pam_item.c:pam_get_user(281)] called.
[support.c:_unix_blankpasswd(680)] called
[support.c:_unix_read_password(888)] called
[pam_item.c:pam_get_item(179)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='OFF', prompt='Password: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_item(179)] called.
[pam_unix_auth.c:pam_sm_authenticate(175)] user=admin, password=[]
[support.c:_unix_verify_password(730)] called
[support.c:_unix_verify_password(734)] setting delay
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[support.c:_unix_verify_password(741)] locating user's record
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[support.c:_unix_verify_password(755)] running helper binary
[support.c:_unix_run_helper_binary(544)] called.
[passverify.c:verify_pwd_hash(74)] called
[passverify.c:verify_pwd_hash(84)] user has empty password - access denied
[passverify.c:verify_pwd_hash(133)] done [7].
[support.c:_unix_run_helper_binary(662)] returning 7
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[support.c:_unix_verify_password(867)] done [7].
[pam_unix_auth.c:pam_sm_authenticate(181)] recording return code for next time [7]
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_unix_auth.c:pam_sm_authenticate(181)] done. [Authentication failure]
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Authentication failure
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-3 cached_retval=7 retval=7
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-4 cached_retval=25 retval=25
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_await_timer(90)] waiting?...
[pam_delay.c:_pam_compute_delay(76)] random number: base=2000000 -> ans=1674256
[pam_delay.c:_pam_await_timer(114)] will wait 1674256 usec
[pam_delay.c:_pam_reset_timer(27)] setting pamh->fail_delay.set to FALSE
[pam_delay.c:_pam_await_timer(126)] waiting done
[pam_auth.c:pam_authenticate(39)] pam_authenticate exit
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(196)] returning user=admin
[pam_item.c:pam_set_item(31)] called
[pam_auth.c:pam_authenticate(18)] pam_authenticate called
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
Looking at the source, a check in modules/pam_unix/passverify.c
(must be pam_unix.so
) is tripping
authentication pam
I am writing an application that forces the user to change his password after the first login. I set a blank password for this admin
user with
passwd -d admin
and verified that no password was set in /etc/shadow
# grep admin /etc/shadow
admin::17834:0:99999:7:::
However, my attempts to login from the console (not ssh) all fail. Can one or more rules in /etc/pam.d/*
be tweaked to allow this login? I had once built a debug version of pam and replaced the default library with it (in a custom ISO) to understand which rules were being invoked but it generated humongous amount of log messages.
UPDATE:
I (force-)installed a PAM RPM built with debugging enabled and captured all logs pertinent to a login attempt from the console:
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_user(380)] completed
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Error in service module
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=3 retval=3
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(100)] skipping substack handler
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=0 cached_retval=25 retval=25
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 0
[pam_delay.c:pam_fail_delay(153)] resetting largest delay
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Success
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-1 cached_retval=0 retval=0
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_unix_auth.c:pam_sm_authenticate(112)] called.
[support.c:_set_ctrl(139)] called.
[support.c:_set_ctrl(146)] IAMROOT
[support.c:_set_ctrl(279)] done.
[pam_item.c:pam_get_user(281)] called.
[support.c:_unix_blankpasswd(680)] called
[support.c:_unix_read_password(888)] called
[pam_item.c:pam_get_item(179)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='OFF', prompt='Password: '.
[misc_conv.c:read_string(203)] we got some user input
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_get_item(179)] called.
[pam_unix_auth.c:pam_sm_authenticate(175)] user=admin, password=[]
[support.c:_unix_verify_password(730)] called
[support.c:_unix_verify_password(734)] setting delay
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[support.c:_unix_verify_password(741)] locating user's record
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[support.c:_unix_verify_password(755)] running helper binary
[support.c:_unix_run_helper_binary(544)] called.
[passverify.c:verify_pwd_hash(74)] called
[passverify.c:verify_pwd_hash(84)] user has empty password - access denied
[passverify.c:verify_pwd_hash(133)] done [7].
[support.c:_unix_run_helper_binary(662)] returning 7
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[support.c:_unix_verify_password(867)] done [7].
[pam_unix_auth.c:pam_sm_authenticate(181)] recording return code for next time [7]
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_unix_auth.c:pam_sm_authenticate(181)] done. [Authentication failure]
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: Authentication failure
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-3 cached_retval=7 retval=7
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_delay.c:pam_fail_delay(141)] setting delay to 2000000
[pam_delay.c:pam_fail_delay(150)] largest = 2000000
[pam_item.c:pam_get_user(281)] called.
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_get_data(123)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_data.c:pam_set_data(70)] called
[pam_data.c:_pam_locate_data(46)] called
[pam_modutil_getpwnam.c:pam_modutil_getpwnam(92)] success
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(206)] returning tty=tty1
[pam_dispatch.c:_pam_dispatch_aux(114)] module returned: The return value should be ignored by PAM dispatch
[pam_dispatch.c:_pam_dispatch_aux(198)] use_cached_chain=0 action=-4 cached_retval=25 retval=25
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_await_timer(90)] waiting?...
[pam_delay.c:_pam_compute_delay(76)] random number: base=2000000 -> ans=1674256
[pam_delay.c:_pam_await_timer(114)] will wait 1674256 usec
[pam_delay.c:_pam_reset_timer(27)] setting pamh->fail_delay.set to FALSE
[pam_delay.c:_pam_await_timer(126)] waiting done
[pam_auth.c:pam_authenticate(39)] pam_authenticate exit
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(196)] returning user=admin
[pam_item.c:pam_set_item(31)] called
[pam_auth.c:pam_authenticate(18)] pam_authenticate called
[pam_item.c:pam_set_item(31)] called
[pam_item.c:pam_set_item(31)] called
[pam_delay.c:_pam_start_timer(42)] starting timer...
[pam_handlers.c:_pam_init_handlers(342)] _pam_init_handlers called
[pam_dispatch.c:_pam_dispatch_aux(106)] passing control to module...
[pam_item.c:pam_get_item(179)] called.
[pam_item.c:pam_get_item(201)] returning userprompt=(null)
[pam_item.c:pam_get_user(281)] called.
[misc_conv.c:misc_conv(279)] allocating empty response structure array.
[misc_conv.c:misc_conv(288)] entering conversation function.
[misc_conv.c:read_string(136)] called with echo='ON', prompt='lnxserver login: '.
Looking at the source, a check in modules/pam_unix/passverify.c
(must be pam_unix.so
) is tripping
authentication pam
authentication pam
edited 5 hours ago
linuxfan
asked 11 hours ago
linuxfanlinuxfan
18913
18913
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f512612%2fpam-tweaks-to-enable-login-with-blank-password-from-console-on-centos-7-6-1810%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f512612%2fpam-tweaks-to-enable-login-with-blank-password-from-console-on-centos-7-6-1810%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-authentication, pam