Configuring PAM common files manually
This document (7019016) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
Pluggable Authentication Modules (PAM)
Situation
After a system update, users can no longer login to the system.
Manual changes were made to the /etc/pam.d/common-account, /etc/pam.d/common-auth, /etc/pam.d/common-password and /etc/pam.d/common-session files per the Manually Configuring PAM section of the Security Guide.
All the manual changes were overwritten in the /etc/pam.d/common-{account,auth,password,session} files after the update.
Manual changes were made to the /etc/pam.d/common-account, /etc/pam.d/common-auth, /etc/pam.d/common-password and /etc/pam.d/common-session files per the Manually Configuring PAM section of the Security Guide.
sles12sp2:/etc/pam.d # ls -al common-*
lrwxrwxrwx 1 root root 17 Apr 4 16:49 common-account -> common-account-pc
-rw-r--r-- 1 root root 451 May 1 11:22 common-account-pc
lrwxrwxrwx 1 root root 14 Apr 4 16:49 common-auth -> common-auth-pc
-rw-r--r-- 1 root root 536 May 1 11:22 common-auth-pc
lrwxrwxrwx 1 root root 18 Apr 4 16:49 common-password -> common-password-pc
-rw-r--r-- 1 root root 429 May 1 11:22 common-password-pc
lrwxrwxrwx 1 root root 17 Apr 4 16:49 common-session -> common-session-pc
-rw-r--r-- 1 root root 547 May 1 11:22 common-session-pc
All the manual changes were overwritten in the /etc/pam.d/common-{account,auth,password,session} files after the update.
Resolution
Remove the symbolic links so that /etc/pam.d/common-{account,auth,password,session} are files and not symbolic links to /etc/pam.d/common-{account,auth,password,session}-pc.
Now reconfigure all your manual changes using the /etc/pam.d/common-{account,auth,password,session} files instead of the /etc/pam.d/common-{account,auth,password,session}-pc files. When pam-config is run again either manually or during a system update, new /etc/pam.d/common-{account,auth,password,session}-pc files will be created, but they will not affect the manual change you made.
sles12sp2:/etc/pam.d # rm common-{account,auth,password,session}
sles12sp2:/etc/pam.d # ls -al common-*
-rw-r--r-- 1 root root 451 May 1 11:22 common-account-pc
-rw-r--r-- 1 root root 536 May 1 11:22 common-auth-pc
-rw-r--r-- 1 root root 429 May 1 11:22 common-password-pc
-rw-r--r-- 1 root root 547 May 1 11:22 common-session-pc
sles12sp2:/etc/pam.d # cp common-account-pc common-account
sles12sp2:/etc/pam.d # cp common-auth-pc common-auth
sles12sp2:/etc/pam.d # cp common-password-pc common-password
sles12sp2:/etc/pam.d # cp common-session-pc common-session
sles12sp2:/etc/pam.d # ls -al common-*
-rw-r--r-- 1 root root 451 May 1 11:22 common-account
-rw-r--r-- 1 root root 451 May 1 11:22 common-account-pc
-rw-r--r-- 1 root root 536 May 1 11:22 common-auth
-rw-r--r-- 1 root root 536 May 1 11:22 common-auth-pc
-rw-r--r-- 1 root root 429 May 1 11:22 common-password
-rw-r--r-- 1 root root 429 May 1 11:22 common-password-pc
-rw-r--r-- 1 root root 547 May 1 11:22 common-session
-rw-r--r-- 1 root root 547 May 1 11:22 common-session-pc
Now reconfigure all your manual changes using the /etc/pam.d/common-{account,auth,password,session} files instead of the /etc/pam.d/common-{account,auth,password,session}-pc files. When pam-config is run again either manually or during a system update, new /etc/pam.d/common-{account,auth,password,session}-pc files will be created, but they will not affect the manual change you made.
Cause
pam-config overwrites any changes made to the /etc/pam.d/common-{account,auth,password,session}-pc files. Since the /etc/pam.d/common-{account,auth,password,session} files were symbolically linked to /etc/pam.d/common-{account,auth,password,session}-pc, all changes were being overwritten.
Several packages trigger pam-config to run, such as: ecryptfs-utils, pam-config, pam_apparmor, systemd, systemd-32bit, gnome-keyring, and gnome-keyring-pam-32bit.
Per the Security Guide documentation:
"When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links."
Several packages trigger pam-config to run, such as: ecryptfs-utils, pam-config, pam_apparmor, systemd, systemd-32bit, gnome-keyring, and gnome-keyring-pam-32bit.
Per the Security Guide documentation:
"When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links."
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7019016
- Creation Date: 18-May-2017
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
