Article

(View Disclaimer)

Scope

This article is targeted at advanced users migrating from other Linux platforms to SUSE Linux who require UID 0 logins.

Skill Level

The methods described in this article are advanced. If you fail to follow the precautions, you will be booting into the rescue system to recover.

Security Note

There is a reason why SUSE Linux disables UID 0 logins via LDAP or any other authentication source. Quite plainly it is considered a security risk. Why? Simply put, enabling users to login in as root as an ordinary user from an external authentication source puts the risk of a security exploit external to the system in question. If the external authentication source is compromised, then EVERY system is potentially compromised. Also, the users will be logging with root privileges out of the gate. Since the *nix community in general discourages root login, enabling eternal authentication source UID 0 logins would violate this principle.

Please fully consider the implications before proceeding. Potential issues which may arise from implementing this include, but are by no means limited to:

• Legal issues
• Regulatory compliance
• Violates most best practices and industry guidelines

However, with all this said, there are some very valid reasons why one would want to implement UID 0 external authentication. It is up to you to decide and accept whether the benefits outweigh the risks.

Changes Explained

SUSE Linux uses PAM authentication for local users, and then nsswitch for LDAP users. When an LDAP user attempts to authenticate, information is passed through the PAM stack. Since the LDAP provided UID doesn't match the name for UID 0 found /etc/passwd.

Fortunately, there is an LDAP, Winbind, and eDirectory PAM module that can handle what is needed. This guide is aimed at LDAP modules, but you can substitute the module name that you need.

Valid Modules

• pam_winbind.so: Active Directory authentication
• pam_nam.so: eDirectory authentication, installed as part of Linux User Management
• pam_ldap.so: Generic LDAP authentication module

These modules are documented in /usr/share/doc/packages/pam/modules which is installed as part of the PAM stack.

Preparation and Precautions

Please make sure to follow appropriate precautions. If you mess up the procedures and don't test before rebooting you will have to boot up in the rescue system (since you are going to be editing the authentication stack, errors can and will prevent users, even root, from authentication remotely or at the console.)

Suggested implementation environment.

• One root terminal for implementing the changes
• One root terminal to watch /var/log/messages (tail -f /var/log/messages)
• One terminal logged in as a non-root user
• Backup the contents of /etc/pam.d and the file /etc/nsswitch.conf

The following is a recommended test procedure to validate the changes

1. In the non-root terminal Window, type "su - USER" (replace USER with user you are testing)
3. If it unsuccessful errors will be logged to the terminal window watching /var/log/messages
4. If it is successful, type "id USER" (replace user with correct name), the UID should show as 0
5. Type "su -", and see if you logged in as root
6. If any of the steps fail go back and evaluate whether you mistyped somewhere.

Changes to be made

1. /etc/nsswitch.conf
   

     passwd: files ldap
     shadow: files ldap
     group: files ldap
   	   
   

   Comment out compat sections

2. /etc/pam.d/common-auth

   Change:

     auth    required    pam_unix2.so
   

   To:

     auth    sufficient    pam_unix2.so    likeauth    nullock
   

   Add under pam_unix2.so declaration:

     auth     sufficient    pam_ldap.so    use_first_pass
   

3. /etc/pam.d/common-account

   Change:

     account    required    pam_unix2.so
   

   To:

     account    sufficient    pam_unix2.so    likeauth    nullock
   

   Add under pam_unix2.so declaration:

     account    sufficient    pam_ldap.so    use_first_pass
   

4. /etc/pam.d/common-password

   Change:

     password    required    pam_unix2.so
   

   To:

     password    sufficient    pam_unix2.so    likeauth    nullock
   

   Add under pam_unix2.so declaration:

     password     sufficient    pam_ldap.so    use_first_pass
   

5. /etc/pam.d/common-session

   Change:

     session    required    pam_unix2.so
   

   To:

     session    sufficient    pam_unix2.so    likeauth    nullock
   

   Add under pam_unix2.so declaration:

     session     sufficient    pam_ldap.so    use_first_pass
   	   
   

6. /etc/ldap.conf Only for LDAP configurations

   Make sure that the minimum UID is set to 0 and the max is commented
   out

     pam_min_uid 0
     #pam_max_uid 0
   	
   

Concluding Thoughts

As explained this guide shows the LDAP implementation. Other authentication sources can be used.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.