# fatal: Internal error: PAM auth succeeded when it should have failed



## VampirD (Jul 3, 2013)

Is this log telling me that someone enter_ed_ my system? 


```
Checking setuid files and devices:

Checking negative group permissions:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

Checking for ports with mismatched checksums:

devilette pf denied packets:
+++ /tmp/security.yAsAv24I	2013-04-25 03:02:04.294146171 -0300
+block drop in from no-route to any [ Evaluations: 40607402 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log on ! em0 inet from 192.168.1.0/24 to any [ Evaluations: 40607402 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log inet from 192.168.1.10 to any [ Evaluations: 40607402 Packets: 0 Bytes: 0 States: 0 ]
+block drop in log quick on em0 proto tcp from <sshguard> to any port = ssh label "ssh bruteforce" [ Evaluations: 40607402 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags FPU/FSRPAUEW [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags FSRPAUEW/FSRPAUEW [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags FSRAU/FSRPAUEW [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags /FSRPAUEW [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags SR/SR [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]
+block drop in quick on em0 proto tcp all flags FS/FS [ Evaluations: 40573507 Packets: 0 Bytes: 0 States: 0 ]

devilette kernel log messages:
+++ /tmp/security.e48fPULu	2013-04-25 03:02:04.317442107 -0300
+ugen1.6: <SAMSUNG Electronics Co., Ltd.> at usbus1 (disconnected)
+umodem1: at uhub3, port 5, addr 6 (disconnected)
+umass0: at uhub3, port 5, addr 6 (disconnected)
+(da0:umass-sim0:0:0:0): lost device - 0 outstanding, 1 refs
+(da0:(pass1:umass-sim0:0:umass-sim0:0:0:0:0): removing device entry
+0): passdevgonecb: devfs entry is gone
+ugen1.6: <SAMSUNG Electronics Co., Ltd.> at usbus1
+umodem1: <Samsung Android ACM> on usbus1
+umodem1: data interface 1, has no CM over data, has no break
+umass0: <Android UMS> on usbus1
+umass0:  SCSI over Bulk-Only; quirks = 0x0000
+umass0:5:0:-1: Attached to scbus5
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0
+(da0:umass-sim0:0:0:0): unsupportable block size 0

devilette login failures:
Apr 24 10:33:35 devilette sshd[27451]: Invalid user javierm from 201.217.132.98
Apr 24 17:37:37 devilette sshd[29378]: Invalid user gavrilov from 79.172.10.78
Apr 24 17:37:40 devilette sshd[29380]: Invalid user sniff from 79.172.10.78
Apr 24 17:37:44 devilette sshd[29382]: Invalid user bwadmin from 79.172.10.78
Apr 24 20:09:36 devilette sshd[29651]: fatal: Internal error: PAM auth succeeded when it should have failed

devilette refused connections:

-- End of security output --
```


----------



## SirDice (Jul 3, 2013)

On what version of FreeBSD is this?


----------



## VampirD (Jul 3, 2013)

```
FreeBSD devilette 9.1-RELEASE-p4 FreeBSD 9.1-RELEASE-p4 #0: Mon Jun 17 11:42:37 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```

I don't remember on the date of that log if I have -p2 or -p3, but for sure 9.1.


----------



## SirDice (Jul 4, 2013)

Ok, that's good. As far as I know those versions don't have a vulnerable sshd(8). Which would mean it was highly unlikely somebody broke in. 

Did you perhaps modify the PAM configuration?


----------



## VampirD (Jul 4, 2013)

Yes, I set[]up PAM to use OpenLDAP, the file is:


```
#
# $FreeBSD: release/9.1.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass
auth            required        /usr/local/lib/pam_ldap.so      no_warn try_first_pass ignore_unknown_user

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      pam_unix.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```


----------



## SirDice (Jul 4, 2013)

If I look on http://www.freebsd.org/doc/en/articles/ldap-auth/client.html I see a few differences. Your configuration seems to be missing pam_nologin and the order of pam_unix and pam_ldap is different (but that might be intentional). I'm also not sure about required and sufficient.


----------



## VampirD (Jul 4, 2013)

I followed the guide on https://wiki.freebsd.org/LDAP#LDAP_server_configuration when I installed it, so I'll correct my file as the link you suggest me and wait and look into the logs for more PAM errors


----------

