Senha root

leonardoortiz
(usa CentOS)

Enviado em 25/08/2013 - 19:24h

ok.
Me passa o conteúdo desse cara:
/etc/pam.d/sshd

e desse:
etc/pam.d/login

ldfxavier
(usa Debian)

Enviado em 25/08/2013 - 19:28h

/etc/pam.d/sshd : 

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

etc/pam.d/login: 

# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context.
# Uncomment the following line to enable SELinux
# session required pam_selinux.so select_context

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

leonardoortiz
(usa CentOS)

Enviado em 25/08/2013 - 19:43h

hm, que coisa.
Faça assim, log com ambas as senhas e me passe o conteúdo do seu /var/log/auth.log

ldfxavier
(usa Debian)

Enviado em 25/08/2013 - 19:49h

Eu coloquei só uma linha "Failed password" mais apareceu muitas, muitas mesmo.

1° senha:

Aug 25 19:44:00 server sshd[14741]: Failed password for root from 54.232.121.214 port 52249 ssh2
Aug 25 19:46:14 server sshd[14769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.41.122.164.dynamic.adsl.gvt.net.br user=root
Aug 25 19:46:14 server sshd[14769]: Accepted password for root from 177.41.122.164 port 52100 ssh2

2° senha:

Aug 25 19:44:00 server sshd[14741]: Failed password for root from 54.232.121.214 port 52249 ssh2
Aug 25 19:46:14 server sshd[14769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.41.122.164.dynamic.adsl.gvt.net.br user=root
Aug 25 19:46:14 server sshd[14769]: Accepted password for root from 177.41.122.164 port 52100 ssh2
Aug 25 19:47:25 server sshd[14790]: Accepted password for root from 177.41.122.164 port 52166 ssh2

leonardoortiz
(usa CentOS)

Enviado em 25/08/2013 - 21:29h

Segundo o log, a primeira senha da um erro e dps ela passa, parece que tem uma segunda "fonte" ai...
Me passa o conteudo desses arquivos:
/etc/pam.d/common-auth
/etc/pam.d/common-session
/etc/pam.d/common-password

Me passa a config. do seu sshd_conf
Olha se no seu /etc/shadow tem mais de um usuário root(se puder passar a linha referente ao usuário root ajudaria). Veja se tem algo em hash no seu /etc/gshadow.

ldfxavier
(usa Debian)

Enviado em 25/08/2013 - 22:30h

Comparei todos os arquivos que você solicitou com o servidor que deu certo a troca de senha, e acho que esse ai é a única coisa que parece conter coisas úteis para esse problema.

sshd_config:

# Package generated configuration file

# See the sshd(8) manpage for details

Banner /etc/ssh/issue.ssh

# What ports, IPs and protocols we listen for

Port 2211

Port 22

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 768



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

#AuthorizedKeysFile     %h/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



UsePAM yes

 

ldfxavier
(usa Debian)

Enviado em 26/08/2013 - 09:45h

Acabei de verificar, quando eu logo com a nova senha que eu criei aparece isso:

Accepted password for root from 177.205.114.18 port 50107 ssh2

E quando eu logo com a senha antiga que estou tentando alterar aparece isso:

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=177.205.114.18.dynamic.adsl.gvt.net.br user=root
Accepted password for root from 177.205.114.18 port 50137 ssh2

Alguma dica ?

Marcus.Macedo
(usa Debian)

Enviado em 26/08/2013 - 09:53h

Olá,

Não sei se funcionara porque não fiz os testes, mas já tentou remover diretamente pelo arquivo /etc/shadow ?

Tente editar o arquivo shadow removendo a senha criptografada.

ldfxavier
(usa Debian)

Enviado em 26/08/2013 - 10:34h

Apaguei a senha no shadow e a segunda senha que eu criei com o passwd não funciona mais, porem, a primeira que eu quero tanto alterar continua funcionando.

leonardoortiz
(usa CentOS)

Enviado em 26/08/2013 - 12:59h

È aquilo que ti falei, parece que tem uma segunda "fonte" ai, um segundo shadow ou algo do tipo, aonde ele da erro em um e nisso tenta em outro....

Eu vi que tem um serviço do openldap rodando, verifica e passa pra gente o conteúdo desse cara:
/etc/ldap.conf
Ou o que tiver em /etc/ldap/ldap.conf
Verifica também, se no seu /etc/passwd tem algum usuário com o mesmo UID do root(0)
Arquivo passwd:
root:x:0:0:root:/root:/bin/bash
O user id é o 3° campo.

Qual o sistema que esta usando ?

ldfxavier
(usa Debian)

Enviado em 26/08/2013 - 13:27h

Meu deus cara, você não sabe o tanto que eu te amo !

Entrei na pasta ldap e fui entrando de 1 por 1 nos arquivos para verificar acabei achando a linha que tinha "rootpw", comentei essa linha e reiniciei o servidor, pronto, agora consigo logar apenas com a senha que eu criei !

Muito obrigado mesmo pela ajuda e atenção de todos.

Arquivo editado para resolução do problema:

/etc/ldap/slapd.conf

#rootpw



 

leonardoortiz
(usa CentOS)

Enviado em 26/08/2013 - 14:05h

blz, tem um ldap rodando ai.
Pode me passar o conteúdo do /etc/ldap/slapd.conf e do /etc/nsswitch.conf ?
Tem algum .ldip no /etc/ldap ?

----
Bom, que bom que deu certo :D
Mas tem algo que está fazendo ele puxar a senha do root da base do ldap, acredito que seja algum modulo do PAM que esteja fazendo isso.