Re: [opensuse] 13.1 pam obstacle (was: missing services)
Samba (nmb and smb) I got working following reinstallation of samba and systemd, then enabling with systemctl. Joe Zappa composed on 2015-01-19 10:38 (UTC-0500):
Don't run telnet server on any host that can be accessed by telnet connection initiated from any host outside of your control.
We've been through security preaching ad nauseum before, something like 30-40 posts in just one thread: http://lists.opensuse.org/opensuse-factory/2014-06/msg00234.html Admonitions are precisely why this has been taking me so long, as searches produce preaching abundantly supplied by Google, instead of answers to questions asked. IIRC that thread includes somewhere the why of my wish to use telnet rather than sshd, and a consequent response stream that sshd supposedly isn't that "hard" even when dealing with 12+ installations per HD. On my LAN, all installations are under my control. Windows is rarely used. This is on a test box. It gets little use. I want telnet server to work on it. Telnet server is installed, but my attempts to get it enabled, via xinetd as that's apparently how it's supposed to work on systemd systems, were producing no fruit, unlike on Fedora on the same box. It was so late and I was so tired last night when I gave up I can't remember how I finally enabled xinetd and got past connection refused starting a telnet client. Looking at bash history it may have been systemctl enable telnetd.socket and/or systemctl enable xinetd.socket, after reinstalling telnet-server. At this point I can bring up a session prompt with telnet client, but pam has apparently become the obstacle I'm not getting figured out. It accepts non-root login, but not root. As on most of my test installations I don't even create non-root users, and sometimes need some things to work without /home mounted, I want to know how to enable root to login. Until https://bugzilla.opensuse.org/show_bug.cgi?id=833253 I never even knew pam existed, much less how to customize it, while pam's man page isn't even 2 screens long. The man page refers to /etc/pam.conf, but this file does not exist. /etc/pam.d/ exists, but has over 50 files in it that the man page says nothing about. :-( -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-01-19 20:23, Felix Miata wrote:
Until https://bugzilla.opensuse.org/show_bug.cgi?id=833253 I never even knew pam existed, much less how to customize it, while pam's man page isn't even 2 screens long. The man page refers to /etc/pam.conf, but this file does not exist. /etc/pam.d/ exists, but has over 50 files in it that the man page says nothing about. :-(
There is "man pam.d" Possibly there is a file in there that mentions telnet. And another in xinet.d. Of course that not allowing root login is intentional. You are fighting against the design. Maybe configurable, dunno. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. composed on 2015-01-19 21:03 (UTC+0100):
Felix Miata wrote:
Until https://bugzilla.opensuse.org/show_bug.cgi?id=833253 I never even knew pam existed, much less how to customize it, while pam's man page isn't even 2 screens long. The man page refers to /etc/pam.conf, but this file does not exist. /etc/pam.d/ exists, but has over 50 files in it that the man page says nothing about. :-(
There is "man pam.d"
It's longer, but if it has an answer, I'm not seeing it.
Possibly there is a file in there that mentions telnet. And another in xinet.d.
There is a telnet file there, that defaulted to 'disable = yes'. I doubt xinetd has anything to do with the remaining prohibition of root login, since as other user I can login.
Of course that not allowing root login is intentional. You are fighting against the design. Maybe configurable, dunno.
Even the telnetd man page implores to use sshd instead. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-01-19 23:40, Felix Miata wrote:
Carlos E. R. composed on 2015-01-19 21:03 (UTC+0100):
There is "man pam.d"
It's longer, but if it has an answer, I'm not seeing it.
Well, I know what pam is, but not not how to configure it. It is complex, and I have avoided it. I just tried a search for a page at the opensuse wiki, but I get a time out error.
Possibly there is a file in there that mentions telnet. And another in xinet.d.
There is a telnet file there, that defaulted to 'disable = yes'. I doubt xinetd has anything to do with the remaining prohibition of root login, since as other user I can login.
It can pass configuration options to the services it starts. The valid options depends on the particular service. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 01/19/2015 05:40 PM, Felix Miata wrote:
Carlos E. R. composed on 2015-01-19 21:03 (UTC+0100):
Felix Miata wrote:
Until https://bugzilla.opensuse.org/show_bug.cgi?id=833253 I never even knew pam existed, much less how to customize it, while pam's man page isn't even 2 screens long. The man page refers to /etc/pam.conf, but this file does not exist. /etc/pam.d/ exists, but has over 50 files in it that the man page says nothing about. :-(
There is "man pam.d"
It's longer, but if it has an answer, I'm not seeing it.
Possibly there is a file in there that mentions telnet. And another in xinet.d.
There is a telnet file there, that defaulted to 'disable = yes'. I doubt xinetd has anything to do with the remaining prohibition of root login, since as other user I can login.
Of course that not allowing root login is intentional. You are fighting against the design. Maybe configurable, dunno.
Even the telnetd man page implores to use sshd instead.
Then why fight it Felix, you will be assimulated. :-) -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Mon, 19 Jan 2015 14:23:04 -0500 Felix Miata <mrmazda@earthlink.net> пишет:
At this point I can bring up a session prompt with telnet client, but pam has apparently become the obstacle I'm not getting figured out. It accepts non-root login, but not root. As on most of my test installations I don't even create non-root users, and sometimes need some things to work without /home mounted, I want to know how to enable root to login.
man pam_securetty -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov composed on 2015-01-20 06:21 (UTC+0300):
Mon, 19 Jan 2015 14:23:04 -0500 Felix Miata composed:
At this point I can bring up a session prompt with telnet client, but pam has apparently become the obstacle I'm not getting figured out. It accepts non-root login, but not root. As on most of my test installations I don't even create non-root users, and sometimes need some things to work without /home mounted, I want to know how to enable root to login.
man pam_securetty
Thank you. Unfortunately, that is yet another blatantly terse and short man page. All I know so far from it is that the list of secure devices in /etc/securetty for Fedora is vastly longer than for openSUSE, 28 vs 6. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jan 20, 2015 at 8:02 AM, Felix Miata <mrmazda@earthlink.net> wrote:
Andrei Borzenkov composed on 2015-01-20 06:21 (UTC+0300):
Mon, 19 Jan 2015 14:23:04 -0500 Felix Miata composed:
At this point I can bring up a session prompt with telnet client, but pam has apparently become the obstacle I'm not getting figured out. It accepts non-root login, but not root. As on most of my test installations I don't even create non-root users, and sometimes need some things to work without /home mounted, I want to know how to enable root to login.
man pam_securetty
Thank you.
Unfortunately, that is yet another blatantly terse and short man page. All I know so far from it is that the list of secure devices in /etc/securetty for Fedora is vastly longer than for openSUSE, 28 vs 6.
If you want to allow root login over network, simply remove pam_securetty from stack. There was recently discussion on factory about making it default. Or use ssh :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Felix Miata -
Ken Schneider - openSUSE