I am getting an issue with what looks like our LDAP accounts, not all of them, where there is a sudoers file in place set to NOPASS and it is asking for one as well. Seeing this on AIX 7.3 or 7.2:
sudo_ids-1.9.15p5-1.ppc
###
- pam.conf
#
# PAM Configuration File
#
#########################################################################
# change log:
# 01/19/12 michael - add in stanzas to make this a proper subset of all needed
# ??/??/11 cwa - added IBM Systems Director lwilogin
#########################################################################
#
# This file controls the PAM stacks for PAM enabled services.
# The format of each entry is as follows:
#
# <service_name> <module_type> <control_flag> <module_path> [module_options]
#
# Where:
# <service_name> is:
# The name of the PAM enabled service.
#
# <module_type> is one of:
# auth, account, password, session
#
# <control_flag> is one of:
# required, requisite, sufficient, optional
#
# <module_path> is:
# The path to the module. If the field does not begin with '/'
# then /usr/lib/security is prefixed for 32-bit services,
# /usr/lib/security/64/ is prefixed for 64-bit services.
# If the module path is specified as full path,then it
# directly uses for 32-bit services, for 64-bit services
# module path derived as <module_path>/64/<module_name>.
#
# [module_options] is:
# An optional field. Consult the specified modules documentation
# for valid options.
#
# The service name OTHER controls the behavior of services that are PAM
# enabled but do not have an explicit entry in this file.
#
#
# Authentication
#
ftp auth requisite /usr/lib/security/pam_permission
ftp auth required /usr/lib/security/pam_aix
imap auth required /usr/lib/security/pam_aix
login auth requisite /usr/lib/security/pam_permission
login auth required /usr/lib/security/pam_aix
rexec auth required /usr/lib/security/pam_aix
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
rlogin auth requisite /usr/lib/security/pam_permission
rlogin auth required /usr/lib/security/pam_aix
rsh auth required /usr/lib/security/pam_rhosts_auth
sshd auth requisite /usr/lib/security/pam_permission
sshd auth required /usr/lib/security/pam_aix
snapp auth required /usr/lib/security/pam_aix
su auth sufficient /usr/lib/security/pam_allowroot
su auth required /usr/lib/security/pam_aix
telnet auth requisite /usr/lib/security/pam_permission
telnet auth required /usr/lib/security/pam_aix
OTHER auth required /usr/lib/security/pam_prohibit
#
# Account Management
#
ftp account required /usr/lib/security/pam_aix
login account required /usr/lib/security/pam_aix
rexec account required /usr/lib/security/pam_aix
rlogin account required /usr/lib/security/pam_aix
rsh account required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
su account sufficient /usr/lib/security/pam_allowroot
su account required /usr/lib/security/pam_aix
telnet account required /usr/lib/security/pam_aix
OTHER account required /usr/lib/security/pam_prohibit
#
# Password Management
#
login password required /usr/lib/security/pam_aix
passwd password required /usr/lib/security/pam_aix
rlogin password required /usr/lib/security/pam_aix
su password required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
telnet password required /usr/lib/security/pam_aix
OTHER password required /usr/lib/security/pam_prohibit
#
# Session Management
#
ftp session required /usr/lib/security/pam_aix
imap session required /usr/lib/security/pam_aix
login session required /usr/lib/security/pam_aix
rexec session required /usr/lib/security/pam_aix
rlogin session required /usr/lib/security/pam_aix
rsh session required /usr/lib/security/pam_aix
snapp session required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
su session required /usr/lib/security/pam_aix
telnet session required /usr/lib/security/pam_aix
# auto-make home directory
login session optional /usr/lib/security/pam_mkuserhome
rlogin session optional /usr/lib/security/pam_mkuserhome
telnet session optional /usr/lib/security/pam_mkuserhome
OTHER session required /usr/lib/security/pam_prohibit
#
#Entries for authexec
#
authexec auth required pam_aix
authexec account required pam_aix
authexec password required pam_aix
#
#
#
# websm
#
websm_rlogin auth sufficient /usr/lib/security/pam_rhosts_auth
websm_rlogin auth required /usr/lib/security/pam_aix use_new_state
websm_su auth sufficient /usr/lib/security/pam_aix
websm_su auth required /usr/lib/security/pam_aix
websm_rlogin account required /usr/lib/security/pam_aix mode=S_RLOGIN
websm_su account sufficient /usr/lib/security/pam_aix mode=S_SU
websm_su account required /usr/lib/security/pam_aix mode=S_SU
websm_rlogin password required /usr/lib/security/pam_aix use_new_state try_first_pass
websm_su password required /usr/lib/security/pam_aix try_first_pass
websm_rlogin session required /usr/lib/security/pam_aix
websm_su session required /usr/lib/security/pam_aix
#
#Entries for Systems Director
#
lwilogin auth required pam_aix
lwilogin account required pam_aix
lwilogin password required pam_aix
lwilogin session required pam_aix
#
# BuildForge agent
#
bfagent auth requisite /usr/lib/security/pam_permission
bfagent auth required pam_aix
bfagent account required pam_aix
wbem auth required /usr/lib/security/pam_aix
wbem account required /usr/lib/security/pam_aix
wbem password required /usr/lib/security/pam_aix
wbem session required /usr/lib/security/pam_aix
# Needed for new sudo (added 01/28/2022 JK)
#
sudo auth required /usr/lib/security/pam_aix
sudo account required /usr/lib/security/pam_aix
sudo password required /usr/lib/security/pam_aix
sudo session required /usr/lib/security/pam_aix
###
###
- methods.cfg
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
PAM:
program = /usr/lib/security/PAM
PAMfiles:
options = auth=PAM,db=BUILTIN
LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64
###
###
- login.cfg
sak_enabled = false
logintimes =
logindisable = 0
logininterval = 0
loginreenable = 0
logindelay = 10
*/dev/console:
* synonym = /dev/tty0
usw:
auth_type = PAM_AUTH
logintimeout = 30
maxlogins = 32767
mkhomeatlogin = true
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/usr/bin/bash,/bin/hnbdefaultshell,/usr/bin/hnbdefaultshell,/uv/bin/uv
pwd_algorithm = ssha256
unix_passwd_compat = true
logindelay = 10
###
###
- /etc/security/user (defaults section)
default:
account_locked = false
admgroups =
admin = false
auth1 = SYSTEM
auth2 = NONE
daemon = true
default_roles =
dictionlist = /usr/local/etc/pwddictionary.dat
expires = 0
login = false
loginretries = 5
logintimes =
histexpire = 26
histsize = 50
maxage = 0
maxexpired = -1
maxrepeats = 4
minage = 0
minalpha = 3
mindiff = 4
mindigit = 1
minlen = 14
minloweralpha = 1
minother = 3
minupperalpha = 1
pwdchecks =
pwdwarntime = 5
rlogin = true
SYSTEM = "LDAP or compat"
su = true
sugroups = ALL
tpath = nosak
ttys = ALL
umask = 027
minrepeats = 4
minspecialchar = 1
###
I have setup debugging as well for the sudo and sudoers if that is needed. I also setup for pam_debug but not seeing any output in there as of yet.
------------------------------
Joshua Krause
------------------------------