pam.d authconfig symlinks missing in RHEL 6.6

Latest response

Deploying the same kickstart file with RHEL6.5 and then RHEL6.6 it appears that the pam.d authconfig symlinks are not created in the RHEL6.6 build.

The symlinks I am referring to are:

/etc/pam.d/fingerprint-auth -> /etc/pam.d/fingerprint-auth-ac
/etc/pam.d/password-auth -> /etc/pam.d/password-auth-ac
/etc/pam.d/smartcard-auth -> /etc/pam.d/smartcard-auth-ac
/etc/pam.d/system-auth -> /etc/pam.d/system-auth-ac

-edit-

It is related to the other issue I raised with RHEL 6.6 installer
https://access.redhat.com/discussions/1341583

As with the above iptables issue, authconfig has been stripped from the minimal install, so if you don't include it explicitly it won't setup the above symlinks (and other auth configuration you specify).

Hope someone finds this information useful.

PS
Log in to join the conversation

Responses

james.radtke@siriusxm.com's picture Guru 6863 points
9 February 2015 10:55 PM

Hey Pixel,
Can you install pam without authconfig (or vice-versa)? This is an interesting issue/problem. pam will install the files (system-auth, for example) which makes me wonder if authconfig just removes the file and then creates that symlink (to system-auth-ac)?

This one has been fun, but I don't think I have an actual understanding of how this works (or what broke).

From a box running CentOS 6.6 (patched UP to that level though from 6.4)

# yum whatprovides /etc/pam.d/system-auth* | grep -A4 ^[a-z] | egrep '^auth|^pam|File'
pam-1.1.1-20.el6.i686 : An extensible library which provides authentication for
Filename    : /etc/pam.d/system-auth
pam-1.1.1-20.el6.x86_64 : An extensible library which provides authentication
Filename    : /etc/pam.d/system-auth
authconfig-6.1.12-19.el6.x86_64 : Command line tool for setting up
Filename    : /etc/pam.d/system-auth-ac
pam-1.1.1-20.el6.x86_64 : An extensible library which provides authentication
authconfig-6.1.12-19.el6.x86_64 : Command line tool for setting up

I have the 6.4 rpms so I pulled them down and unrolled them in /var/tmp/. I believe there must be a python module that handles this...

grep -R system-auth-ac *
Binary file authconfig-6.1.12-13.el6.x86_64.rpm matches
Binary file usr/share/authconfig/authinfo.pyc matches
usr/share/authconfig/authinfo.py:AUTH_PAM_SERVICE_AC = "system-auth-ac"
usr/share/authconfig/authinfo.py:   FileBackup("system-auth-ac", SYSCONFDIR+"/pam.d/"+AUTH_PAM_SERVICE_AC),
Binary file usr/share/authconfig/authinfo.pyo matches

So, I decide to poke around in usr/share/authconfig/authinfo.py

# grep system-auth-ac authinfo.py
AUTH_PAM_SERVICE_AC = "system-auth-ac"
    FileBackup("system-auth-ac", SYSCONFDIR+"/pam.d/"+AUTH_PAM_SERVICE_AC),

# grep AUTH_PAM_SERVICE_AC authinfo.py
AUTH_PAM_SERVICE_AC = "system-auth-ac"
PASSWORD_AUTH_PAM_SERVICE_AC = "password-auth-ac"
FINGERPRINT_AUTH_PAM_SERVICE_AC = "fingerprint-auth-ac"
SMARTCARD_AUTH_PAM_SERVICE_AC = "smartcard-auth-ac"
    FileBackup("system-auth-ac", SYSCONFDIR+"/pam.d/"+AUTH_PAM_SERVICE_AC),
    FileBackup("password-auth-ac", SYSCONFDIR+"/pam.d/"+PASSWORD_AUTH_PAM_SERVICE_AC),
    FileBackup("fingerprint-auth-ac", SYSCONFDIR+"/pam.d/"+FINGERPRINT_AUTH_PAM_SERVICE_AC),
    FileBackup("smartcard-auth-ac", SYSCONFDIR+"/pam.d/"+SMARTCARD_AUTH_PAM_SERVICE_AC),
        self.writePAMService(STANDARD, CFG_PAM, AUTH_PAM_SERVICE_AC, AUTH_PAM_SERVICE)
        self.writePAMService(PASSWORD_ONLY, CFG_PASSWORD_PAM, PASSWORD_AUTH_PAM_SERVICE_AC, PASSWORD_AUTH_PAM_SERVICE)
        self.writePAMService(FINGERPRINT, CFG_FINGERPRINT_PAM, FINGERPRINT_AUTH_PAM_SERVICE_AC, FINGERPRINT_AUTH_PAM_SERVICE)
        self.writePAMService(SMARTCARD, CFG_SMARTCARD_PAM, SMARTCARD_AUTH_PAM_SERVICE_AC, SMARTCARD_AUTH_PAM_SERVICE)
thomas.jones2@dodiis.mil's picture Guru 6435 points
9 February 2015 11:23 PM

When you install just the @Core package-group, authconfig isn't included (ran into this when working on another project). Without that RPM, the symlinks can't be created unless you automate the process minus the tool. I've just taken to adding 'authconfig' as one of my @Core+ RPM-directives in my build scripts. The installation 'cloud-init' blows out my "keep it small" any, way, so, what's one more RPM?

PS Guru 6494 points
9 February 2015 11:32 PM

This exactly.

From my understanding, when you run 'authconfig' it sets up the symlink structure eg.

/etc/pam.d/system-auth -> /etc/pam.d/system-auth-ac

The system-auth file is replaced with a symlink to the system-auth-ac (ac = auth config). The -ac files contain the configuration generated by authconfig.

The RHEL installation tool executes authconfig. As mentioned above, and as Tom has also confirmed, authconfig was removed from the minimal install configuration, so when the installer attempts to run 'authconfig' to setup the configuration/symlinks defined in the kickstart, the authconfig command isn't there, so the default configuration from the pam package remains.

This same issue won't present itself on an upgraded server. ie. if you installed with RHEL 6.5 media, the symlinks would have been created when authconfig was run as part of the installer. All further upgrades will honour this authconfig configuration.

For me, the issue manifested as failure to auth against a directory as I was pushing custom replacements for the following files:

/etc/pam.d/password-auth-ac
/etc/pam.d/system-auth-ac

But because authconfig had never run, the symlinks didn't exist, so pam was instead using the standard files (not symlinks) shipped with the pam package

/etc/pam.d/password-auth
/etc/pam.d/system-auth

I added authconfig into the kickstart explicitly as Tom describes (for consistency), but alternatively you could modify the pam files directly rather than relying on authconfig symlinks.

thomas.jones2@dodiis.mil's picture Guru 6435 points
9 February 2015 11:50 PM

One of the fun parts of this whole thing (and what caused me to notice it in my testing environment) is the impact that it has on CM tools like SaltStack.

With SaltStack (and presumably other solutions that act similarly), the default behavior for updating files is to create a backup of the original and then edit a copy. If your original file is a symlink, this breaks things. Thus, with my CM modules, I explicitly do my programatic modifications against the *-ac files. Because I was initially using @Core, those files didn't exist. Thus as part of a run of the CM tools, had to add logic to ensure that the authconfig RPM was installed so that I could pre-run it to ensure the expected target files were in place (was easier than writing a shim to do what authconfig does - why reinvent the wheel when the wheel should be there to begin with).

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.