Why are false authentication failure messages reported by pam_unix for ldap users in Red Hat Enterprise Linux?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

pam_unix produces the below error when a user is being successfully validated in an LDAP environment. Is there some way to disable the false error messages in this environment while still logging real authentication failure messages?

    dhcp6-115 sshd(pam_unix)[5601]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.redhat.com  user=ldapuser

Similar messages are reported when sudo is called by an LDAP user:

    dhcp6-115 sudo(pam_unix)[5619]: authentication failure; logname=ldapuser uid=0 euid=0 tty=pts/3 ruser= rhost=  user=ldapuser

Resolution

This is expected behaviour from pam_unix and the message is normal and harmless.

There is no configuration option within pam_unix to stop logging those messages.

The default pam configuration tries to authenticate a user using pam_unix first, then using pam_ldap.so module if authentication with pam_unix is failed.

If pam can't authenticate a user using pam_unix.so, it logs a message of auth failure and passes control to pam_ldap.so which authenticates the user successfully.

If you would like to remove these default failures errors from logging in /var/log/secure logs , we can do the following configuration changes.

Change auth section in /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac to :

auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so      <===== [1]
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so forward_pass      <===== [2]
auth        required      pam_deny.so

In change[1] pam_localuser will call pam_unix only when user exists in /etc/passwd .
Change[2] indicates that pam_sss should use the already entered password.

  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.