pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "testuser"

Hey guys,

I am super confused about how Virtualmin sets up additional users in CentOS 7, and could use some assistance. This may or may not be a bug.

When creating a new Virtual Server, the parent UID is being made in the 500's range. This user is able to login via SSH successfully without an issue.

When adding an additional user for a Virtual Server, it's UID is also being made in the 500's range. Even though I have chosen to permit this user to login via SSH, it cannot and is getting the following error in /var/log/secure:

pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "testuser"

I see in /etc/pam.d password-auth and system-auth are configured that way:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

So, my question is 2 fold:

1) What the heck is virtualmin doing special with the administrative user that allows them to login via SSH *without* their UID being above 1000? (Seriously I've looked around the system for 30 minutes now and can't find it)

2) Are additional users supposed to get their UID created above 1000 on CentOS 7 systems? If so, this isn't happening.

Thanks!

Status: 
Closed (works as designed)

Comments

Hmm, what is the output of this command on your server:

grep UID_MIN /etc/login.defs

Here you go,

[root@winchester log]# grep UID_MIN /etc/login.defs
UID_MIN 1000
SYS_UID_MIN 201

I have also added debug logging in pam. Here is what a virtualmin user that can login looks like, and a user I have added that cannot:

Can login:
May 6 10:38:51 winchester sshd[7253]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf
May 6 10:38:51 winchester sshd[7253]: pam_sepermit(sshd:auth): Access will not be allowed on match
May 6 10:38:51 winchester sshd[7253]: pam_sepermit(sshd:auth): sepermit_match returned: -1
May 6 10:38:51 winchester sshd[7253]: pam_unix(sshd:auth): unrecognized option [trace]
May 6 10:38:51 winchester sshd[7253]: Accepted password for map from 66.195.111.246 port 11682 ssh2
May 6 10:38:51 winchester sshd[7253]: pam_env(sshd:setcred): unknown option: trace

Cannot login:
May 6 10:39:39 winchester sshd[7315]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf
May 6 10:39:39 winchester sshd[7315]: pam_sepermit(sshd:auth): Access will not be allowed on match
May 6 10:39:39 winchester sshd[7315]: pam_sepermit(sshd:auth): sepermit_match returned: -1
May 6 10:39:39 winchester sshd[7315]: pam_unix(sshd:auth): unrecognized option [trace]
May 6 10:39:39 winchester sshd[7315]: pam_succeed_if(sshd:auth): 'uid' resolves to '503'
May 6 10:39:39 winchester sshd[7315]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "testuser"
May 6 10:39:41 winchester sshd[7315]: Failed password for testuser from 66.195.111.246 port 61242 ssh2

/etc/passwd entry for these two users:
map:x:517:502::/home/map:/bin/sh
testuser:x:503:1001::/home/testuser:/bin/sh

Nevermind this log entry was a red herring.

Turned out I have a bad key on my keyboard that was making me mistype the password!

Woops!

Status: Active ยป Closed (works as designed)