Linux user issues with PAM?
Short answer:
You command was incorrect:
useradd -d /path/to/home -s /path/to/shell -g admin username
Use
useradd -d /home/username -s /bin/sh -g admin username
to create normal user.
Tady posted some info in the chat:
tady:$:15750:0:99999:7:::
squarepeg:$:15751:0:99999:7::: that's the /etc/shadow
and the /etc/passwd
tady:x:5001:5001::/var/www:/bin/false
squarepeg:x:5003:109:square peg design:/var/www:/bin/false
The /bin/false home directory exists, I created it so users had somewhere to go even though they never use it (though looking at it, it's owner and group are root:root. would this matter?) The /var/www shell is where I want them to go when they login
"The format of the passwd file is pretty standard."
Yes, it is true. And format is informally described here: Wikipedia:Passwd (file); or, more normative, man 5 passwd
(from ubuntu)
Check an example:
jsmith:.......:/home/jsmith:/bin/sh
Wiki decodes it as:
The sixth field is the path to the user's home directory. The seventh field is the program that is started every time the user logs into the system. ... this is usually one of the system's command line interpreters (shells).
So, jmsith has home directory /home/jsmith
and shell program /bin/sh
which is legal shell (all legal shells are listed in the file /etc/shells
). Check man shells
, it says:
/etc/shells is a text file which contains the full pathnames of valid login shells...
Be aware that there are programs which consult this file to find out if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file.
In my Linux /bin/false
is not listed here as valid shell.
According to citation of your passwd, tady and squarepeg have the home dir /var/www
and /bin/false
is their shell program. When they login in, shell is started; after shell termination, session is closed. /bin/false
is simple unix program which ... exits in short time (check Wikipedia:False (Unix) or just think about it as main(){return 1;}
).
Normal shell is the interactive program which reads user input and executes it in endless loop. Shell is started when you does ssh
to the computer. And you can't use ftp for users who has /bin/false
shell.
PS: If you want to prohibit somebody of using ssh, but allow them to use vsftpd, there are hacks
- hack of
/etc/pam.d/vsftpd
file: http://linux-tips.org/article/70/users-with-bin-false-shell-to-login-on-vsftpd - hask with adding
/bin/false
to list of valid shells: http://www.linuxexpert.ro/Linux-Tutorials/setup-vsftp-with-no-shell-access.html - or ask here.
Related videos on Youtube
tadywankenobi
PHP/HTML/CSS Web Developer, IA & UX Project Manager, Blogger, Photographer and Rugby Referee. That's just the kind of Jedi I am!
Updated on September 18, 2022Comments
-
tadywankenobi over 1 year
Had setup a user to use instead of root. Was working fine and dandy till I started playing with user settings. Now all users (apart from root) borked. Can't login (ssh) with other users, even after adding them to the admin/root group. Can't ftp with these users (using vsftpd).
I have removed the user and cleared out the entry in the /etc/shadow file which was preventing me from changing the user's password. I added the user again using the following command:
useradd -d /path/to/home -s /path/to/shell -g admin username
I then changed the password, which worked. I have since tried switching user (su - username) and found the following entry in the /var/log/auth.log
Feb 15 09:37:55 myserve su[26682]: Successful su for username by root Feb 15 09:37:55 myserve su[26682]: + /dev/pts/0 root:username Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session opened for user username by root(uid=0) Feb 15 09:37:55 myserve su[26682]: pam_unix(su:session): session closed for user username
I can see that the issue appears to be a PAM issue but I don't know how to administer PAM. I think it may have locked that username out. I really want to use that username (not have to create a new one) but, if that is what it comes down to, I will do that.
I have another username which I also cannot su to. The same error appears in the auth.log
Actually on review, I am finding that none of my users, apart from root, can login to the system.
UPDATE: Include PAM details
ls -l of /etc/pam.d
-rw-r--r-- 1 root root 197 2009-11-23 15:11 atd -rw-r--r-- 1 root root 384 2011-02-21 00:10 chfn -rw-r--r-- 1 root root 92 2011-02-21 00:10 chpasswd -rw-r--r-- 1 root root 581 2011-02-21 00:10 chsh -rw-r--r-- 1 root root 1208 2011-05-10 07:17 common-account -rw-r--r-- 1 root root 1221 2011-05-10 07:17 common-auth -rw-r--r-- 1 root root 1440 2011-05-10 07:17 common-password -rw-r--r-- 1 root root 1156 2011-05-10 07:17 common-session -rw-r--r-- 1 root root 1154 2011-05-10 07:17 common-session-noninteractive -rw-r--r-- 1 root root 531 2011-01-05 10:23 cron -rw-r--r-- 1 root root 81 2010-11-17 17:58 dovecot -rw-r--r-- 1 root root 4585 2011-02-21 00:10 login -rw-r--r-- 1 root root 92 2011-02-21 00:10 newusers -rw-r--r-- 1 root root 520 2011-04-14 16:40 other -rw-r--r-- 1 root root 92 2011-02-21 00:10 passwd -rw-r--r-- 1 root root 145 2010-12-14 17:08 pop3 -rw-r--r-- 1 root root 168 2011-02-04 08:41 ppp -rw-r--r-- 1 root root 1272 2010-04-07 02:50 sshd -rw-r--r-- 1 root root 2305 2011-02-21 00:10 su -rw-r--r-- 1 root root 119 2011-04-15 16:02 sudo -rw-r--r-- 1 root root 92 2013-01-19 22:51 vsftpd -rw-r--r-- 1 root root 139 2013-01-19 22:33 vsftpd.bak
I have also added the user to the sshd and root group, but still cannot login as that user. The error has changed though:
Feb 15 14:11:51 myserve sshd[5433]: Accepted password for username from 81.56.236.66 port 56851 ssh2 Feb 15 14:11:51 myserve sshd[5433]: pam_unix(sshd:session): session opened for user username by (uid=0) Feb 15 14:11:52 myserve sshd[5447]: Received disconnect from 81.56.236.66: 11: disconnected by user Feb 15 14:11:52 myserve sshd[5433]: pam_unix(sshd:session): session closed for user username
Full content of all files in pam.d
File: /etc/pam.d/atd # # The PAM configuration file for the at daemon # auth required pam_env.so @include common-auth @include common-account @include common-session-noninteractive session required pam_limits.so File: /etc/pam.d/chfn # # The PAM configuration file for the Shadow `chfn' service # # This allows root to change user infomation without being # prompted for a password auth sufficient pam_rootok.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session File: /etc/pam.d/chpasswd # The PAM configuration file for the Shadow 'chpasswd' service # @include common-password File: /etc/pam.d/chsh # # The PAM configuration file for the Shadow `chsh' service # # This will not allow a user to change their shell unless # their current one is listed in /etc/shells. This keeps # accounts with special shells from changing them. auth required pam_shells.so # This allows root to change user shell without being # prompted for a password auth sufficient pam_rootok.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session File: /etc/pam.d/common-account # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config File: /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config File: /etc/pam.d/common-password # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password [success=1 default=ignore] pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config File: /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so # end of pam-auth-update config File: /etc/pam.d/common-session-noninteractive # # /etc/pam.d/common-session-noninteractive - session-related modules # common to all non-interactive services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of all non-interactive sessions. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so # end of pam-auth-update config File: /etc/pam.d/cron # # The PAM configuration file for the cron daemon # @include common-auth # Read environment variables from pam_env's default files, /etc/environment # and /etc/security/pam_env.conf. session required pam_env.so # In addition, read system locale information session required pam_env.so envfile=/etc/default/locale @include common-account @include common-session-noninteractive # Sets up user limits, please define limits for cron tasks # through /etc/security/limits.conf session required pam_limits.so File: /etc/pam.d/dovecot #%PAM-1.0 @include common-auth @include common-account @include common-session File: /etc/pam.d/login # # The PAM configuration file for the Shadow `login' service # # Enforce a minimal delay in case of failure (in microseconds). # (Replaces the `FAIL_DELAY' setting from login.defs) # Note that other modules may require another minimal delay. (for example, # to disable any delay, you should add the nodelay option to pam_unix) auth optional pam_faildelay.so delay=3000000 # Outputs an issue file prior to each login prompt (Replaces the # ISSUE_FILE option from login.defs). Uncomment for use # auth required pam_issue.so issue=/etc/issue # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) # # With the default control of this module: # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] # root will not be prompted for a password on insecure lines. # if an invalid username is entered, a password is prompted (but login # will eventually be rejected) # # You can change it to a "requisite" module if you think root may mis-type # her login and should not be prompted for a password in that case. But # this will leave the system as vulnerable to user enumeration attacks. # # You can change it to a "required" module if you think it permits to # guess valid user names of your system (invalid user names are considered # as possibly being root on insecure lines), but root passwords may be # communicated over insecure lines. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without out this it is possible # that a module could execute code in the wrong domain. # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) auth optional pam_group.so # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on logins. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # Uncomment and edit /etc/security/access.conf if you need to # set access limits. # (Replaces /etc/login.access file) # account required pam_access.so # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) session required pam_limits.so # Prints the last login info upon succesful login # (Replaces the `LASTLOG_ENAB' option from login.defs) session optional pam_lastlog.so # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_motd.so # Prints the status of the user's mailbox upon succesful login # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). # # This also defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs session optional pam_mail.so standard # Standard Un*x account and session @include common-account @include common-session @include common-password # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # When the module is present, "required" would be sufficient (When SELinux # is disabled, this returns success.) File: /etc/pam.d/newusers # The PAM configuration file for the Shadow 'newusers' service # @include common-password File: /etc/pam.d/other # # /etc/pam.d/other - specify the PAM fallback behaviour # # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is #used. If you really want nothing to happen then use pam_permit.so or #pam_deny.so as appropriate. # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session File: /etc/pam.d/passwd # # The PAM configuration file for the Shadow `passwd' service # @include common-password File: /etc/pam.d/pop3 # PAM configuration file for Courier POP3 daemon @include common-auth @include common-account @include common-password @include common-session File: /etc/pam.d/ppp #%PAM-1.0 # Information for the PPPD process with the 'login' option. auth required pam_nologin.so @include common-auth @include common-account @include common-session File: /etc/pam.d/sshd # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password File: /etc/pam.d/su # # The PAM configuration file for the Shadow `su' service # # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so # Uncomment this to force users to be a member of group root # before they can use `su'. You can also add "group=foo" # to the end of this line if you want to use a group other # than the default "root" (but this may have side effect of # denying "root" user, unless she's a member of "foo" or explicitly # permitted earlier by e.g. "sufficient pam_rootok.so"). # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth required pam_wheel.so # Uncomment this if you want wheel members to be able to # su without a password. # auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth required pam_wheel.so deny group=nosu # Uncomment and edit /etc/security/time.conf if you need to set # time restrainst on su usage. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs # as well as /etc/porttime) # account requisite pam_time.so # This module parses environment configuration file(s) # and also allows you to use an extended config # file /etc/security/pam_env.conf. # # parsing /etc/environment needs "readenv=1" session required pam_env.so readenv=1 # locale variables are also kept into /etc/default/locale in etch # reading this file *in addition to /etc/environment* does not hurt session required pam_env.so readenv=1 envfile=/etc/default/locale # Defines the MAIL environment variable # However, userdel also needs MAIL_DIR and MAIL_FILE variables # in /etc/login.defs to make sure that removing a user # also removes the user's mail spool file. # See comments in /etc/login.defs # # "nopen" stands to avoid reporting new mail when su'ing to another user session optional pam_mail.so nopen # Sets up user limits, please uncomment and read /etc/security/limits.conf # to enable this functionality. # (Replaces the use of /etc/limits in old login) # session required pam_limits.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and # /etc/shadow entries. @include common-auth @include common-account @include common-session File: /etc/pam.d/sudo #%PAM-1.0 @include common-auth @include common-account session required pam_permit.so session required pam_limits.so File: /etc/pam.d/vsftpd auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd account required pam_permit.so File: /etc/pam.d/vsftpd.bak auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash account required pam_userdb.so db=/etc/vsftpd/vsftpd_login crypt=hash
-
osgx about 11 yearsPlease, show us all files from /etc/pam.d, both their list (
ls -l
) and content. What is your linux? -
tadywankenobi about 11 yearsHi @osgx, system is a VPS Cloud hosted (Ubuntu 11.04 LAMP x64). I'll append the content of pam.d to the original post. What do you mean by "and content" in your request?
-
osgx about 11 years
for a in /etc/pam.d/*;do echo "File: $a"; cat $a;done
-
tadywankenobi about 11 yearsAdded that there now @osgx. Thanks a mill for your help and looking at this.
-
osgx about 11 yearsOr may be enable debugging of PAM and check debug.log for pam errors?
-
tadywankenobi about 11 yearsDo you think it makes a difference that there is no "system-auth" file in the pam.d directory?
-
osgx about 11 yearsNo, there is no links to "system-auth" file in your config. I think it was used in older setups of PAM. I just want to see more detail logs from PAM and to get them you need to enable debugging by creating
/etc/pam_debug
file and ensure that syslog will save debug messages. -
tadywankenobi about 11 yearsQuestion on stackoverflow deleted.
-
osgx about 11 yearsOk, thanks. I still want you to enable debug of PAM and check logs.
-
osgx about 11 yearsYour settings looks good, just compared with my ubuntu. And new idea - check the files
ls -l /etc/nologin /etc/passwd /etc/shadow
. -
tadywankenobi about 11 yearsThere is no /etc/nologin. The files /etc/passwd and /etc/shadow look fine I think. Nothing out of the ordinary there. How secure is it for me to be posting those files here?
-
-
tadywankenobi about 11 yearsMany many thanks to @osgx for taking time with me to work this out. This has worked with regard to user being able to ssh in now. I have other permissions issues with the ftp, but I've asked that now in a separate question. I had followed a guide to setup users, suggesting /bin/false as their empty shell. As osgx has pointed out, this is not a shell file. I didn't know any better. Thanks all for the help.