I am considering to drop wheel, i.e.
- https://github.com/Whonix/security-misc/blob/master/usr/share/pam-configs/wheel
- security-misc/usr/share/pam-configs/wheel at 3f9437f1ecfd292f06ce021f12cb5430da280f84 · Kicksecure/security-misc · GitHub
auth required pam_wheel.so debug group=sudo
Because implementing it through /usr/share/pam-configs/wheel also applies to /etc/pam.d/login i.e. to login in a virtual console, which then fails to login with user user (!).
Jul 29 15:42:13 host login[787]: pam_wheel(login:auth): Access denied to ‘root’ for ‘user’
Jul 29 15:42:18 host login[787]: FAILED LOGIN (3) on ‘/dev/tty1’ FOR ‘user’, Permission denied
Adding root_only to auth required pam_wheel.so debug group=sudo so it would look like auth required pam_wheel.so debug group=sudo root_only helped. But I am not entirely sure what that does. Form the man page:
https://manpages.debian.org/pam_wheel
root_only
The check for wheel membership is done only when the target user UID is 0.
However, I am not sure pam_wheel is worth bothering with at all, since:
- When locking/expiring the root account,
suisn’t relevant anymore anyhow. - This is further protected by using anti linux user account brueforce mechanisms such as pam_tally2 (
auth required pam_tally2.so deny=4 even_deny_root) discussed in (protect Linux user accounts against brute force attacks).
With these two bullet points, I don’t see what pam_wheel would give us on top.
Something to look out for when testing:
Jul 29 16:17:01 host CRON[8330]: pam_unix(cron:account): account root has expired (account expired)
Jul 29 16:17:01 host audit[8330]: USER_ACCT pid=8330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg=‘op=PAM:accounting grantors=? acct=“root” exe=“/usr/sbin/cron” hostname=? addr=? terminal=cron res=failed’
Jul 29 16:17:01 host cron[411]: Authentication failure
Jul 29 16:17:01 host CRON[8330]: Authentication failure
(This was probably from a misconfigured VM of mine during experimenting.)