[Help] auth.log reports "sudo: PAM (sudo) illegal module type: file=/etc/ssh/sudo_authorized_keys/%u"
Closed this issue · 1 comments
janusn commented
Sorry I know it is not a particular problem of the touch2sudo. It is a problem on the remote machine setup. But I cannot get it work. Could you help me out?
I have followed the steps listed on /medium/ touch2sudo: Enable remote sudo two-factor authentication using Mac Touch ID.
The content of my /etc/pam.d/sudo
$ cat /etc/pam.d/sudo
#%PAM-1.0
# added by Janus for touch2sudo
auth sufficient /lib/x86_64-linux-gnu/security/pam_ssh_agent_auth.so
file=/etc/ssh/sudo_authorized_keys/%u
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
When I issue sudo tail /var/log/auth.log on the remote machine afterwards. It failed to use the pam_ssh_agent_auth.so. Nor the original password worked.
$ sudo tailf /var/log/auth.log
[sudo] password for janus:
Sorry, try again.
[sudo] password for janus:
Sorry, try again.
[sudo] password for janus:
sudo: 3 incorrect password attempts
The actual outcome logged in /var/log/auth.log:
$ sudo tail -100 /var/log/auth.log
…
2024-09-08T17:44:55.144759+01:00 nuc13 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by janus(uid=1000)
2024-09-08T17:45:01.708217+01:00 nuc13 CRON[3135452]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2024-09-08T17:45:01.708404+01:00 nuc13 CRON[3135453]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2024-09-08T17:45:01.710097+01:00 nuc13 CRON[3135452]: pam_unix(cron:session): session closed for user root
2024-09-08T17:45:01.790917+01:00 nuc13 CRON[3135453]: pam_unix(cron:session): session closed for user root
2024-09-08T17:45:35.894652+01:00 nuc13 sudo: pam_unix(sudo:session): session closed for user root
2024-09-08T17:45:50.399284+01:00 nuc13 sudo: PAM (sudo) illegal module type: file=/etc/ssh/sudo_authorized_keys/%u
2024-09-08T17:45:50.399432+01:00 nuc13 sudo: PAM (sudo) no control flag supplied
2024-09-08T17:45:50.399471+01:00 nuc13 sudo: PAM (sudo) no module name supplied
2024-09-08T17:45:50.400410+01:00 nuc13 sudo[3136164]: pam_ssh_agent_auth: Failed Authentication: `janus' as `janus' using /etc/security/authorized_keys
2024-09-08T17:46:01.751339+01:00 nuc13 sudo[3136164]: pam_ssh_agent_auth: Failed Authentication: `janus' as `janus' using /etc/security/authorized_keys
2024-09-08T17:46:01.793492+01:00 nuc13 CRON[3136327]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2024-09-08T17:46:01.880545+01:00 nuc13 CRON[3136327]: pam_unix(cron:session): session closed for user root
2024-09-08T17:46:02.872579+01:00 nuc13 sudo[3136164]: pam_unix(sudo:auth): conversation failed
2024-09-08T17:46:02.872695+01:00 nuc13 sudo[3136164]: pam_unix(sudo:auth): auth could not identify password for [janus]
2024-09-08T17:46:02.873362+01:00 nuc13 sudo: janus : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/janus ; USER=root ; COMMAND=/usr/bin/ls
2024-09-08T17:46:47.110863+01:00 nuc13 sudo: PAM (sudo) illegal module type: file=/etc/ssh/sudo_authorized_keys/%u
2024-09-08T17:46:47.111086+01:00 nuc13 sudo: PAM (sudo) no control flag supplied
2024-09-08T17:46:47.111150+01:00 nuc13 sudo: PAM (sudo) no module name supplied
2024-09-08T17:46:47.112451+01:00 nuc13 sudo: janus : TTY=pts/0 ; PWD=/etc/sudoers.d ; USER=root ; COMMAND=/usr/sbin/visudo
2024-09-08T17:46:47.113007+01:00 nuc13 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by janus(uid=1000)
2024-09-08T17:47:01.888670+01:00 nuc13 CRON[3137209]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2024-09-08T17:47:02.011565+01:00 nuc13 CRON[3137209]: pam_unix(cron:session): session closed for user root
2024-09-08T17:47:31.037141+01:00 nuc13 sshd[3134162]: Received disconnect from 10.27.2.14 port 51468:11: disconnected by user
2024-09-08T17:47:31.037354+01:00 nuc13 sshd[3134162]: Disconnected from user janus 10.27.2.14 port 51468
2024-09-08T17:47:31.037948+01:00 nuc13 sshd[3134108]: pam_unix(sshd:session): session closed for user janus
2024-09-08T17:47:31.042728+01:00 nuc13 systemd-logind[908]: Session 3944 logged out. Waiting for processes to exit.
2024-09-08T17:47:31.044241+01:00 nuc13 systemd-logind[908]: Removed session 3944.
…
Environment:
- remote OS:
Linux nuc13 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
- pam_ssh_agent_auth.so is installed by:
$ sudo apt install libpam-ssh-agent-auth
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
libpam-ssh-agent-auth
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 110 kB of archives.
After this operation, 249 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu noble/universe amd64 libpam-ssh-agent-auth amd64 0.10.3-8 [110 kB]
Fetched 110 kB in 0s (2,284 kB/s)
Selecting previously unselected package libpam-ssh-agent-auth:amd64.
(Reading database ... 181335 files and directories currently installed.)
Preparing to unpack .../libpam-ssh-agent-auth_0.10.3-8_amd64.deb ...
Unpacking libpam-ssh-agent-auth:amd64 (0.10.3-8) ...
Setting up libpam-ssh-agent-auth:amd64 (0.10.3-8) ...
Processing triggers for man-db (2.12.0-4build2) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...
Running kernel seems to be up-to-date.
The processor microcode seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
- macOS version:
Sonoma 14.6.1 (23G93) - touch2sudo installed by:
$ brew install touch2sudo
janusn commented
Sorry to bother you. I have found the error. The line on /etc/pam.d/sudo should be a single line instead of 2 lines.