pam_unix(sudo:auth): conversation failed, auth could not identify password for [username]

Question:

I’m using ansible to provision my Centos 7 produciton cluster. Unfortunately, execution of below command results with ansible Tiemout and Linux Pluggable Authentication Modules (pam) error conversation failed.

The same ansible command works well, executed against virtual lab mad out of vagrant boxes.

Ansible Command

SSHd Log

Answer:

I’ve found the problem. It turned out to be PAM’s auth module problem! Let me describe how I got to the solution.

Context:

I set up my machine for debugging – that is I had four terminal windows opened.

  • 1st terminal (local machine): Here, I was executing ansible prduction_server -m yum -a 'name=vim state=installed' -b -K -u username
  • 2nd terminal (production server): Here, I executed journalctl -f (system wide log).
  • 3rd terminal (production server): Here, I executed tail -f /var/log/secure (log for sshd).
  • 4th terminal (production server): Here, I was editing vi /etc/pam.d/sudo file.

Every time, I executed command from 1st terminal I got this errors:

I showed my entire setup to my colleague, and he told me that the error had to do something with “PAM”. Frankly, It was the first time that I’ve heard about PAM.
I figured out, that error relates to auth interface located in /etc/pam.d/sudo module. Diging over the internet, I stambled upon this pam_permit.so module with sufficient controll flag, that fixed my problem!

Solution

Basically, what I added was auth sufficient pam_permit.so line to /etc/pam.d/sudo file. Look at the example below.

Conclusion:

I spent 4 days to arrive to this solution. I stumbled upon over a dozens solutions that did not worked for me, starting from “duplicated sudo password in ansible hosts/config file”, “ldap specific configuration” to getting advice from always grumpy system admins!

Note:

Since, I’m not expert in PAM, I’m not aware if this fix affects other aspects of the system, so be cautious over blindly copy pasting this code! However, if you are expert on PAM please share with us alternative solutions or input. Thanks!

This Post Has 2 Comments

  1. Avatar
    Chandramouli

    This solution broken sudo.

  2. Avatar
    James

    You’ve just set PAM to test “if 1==1, let them sudo” which is incredibly insecure.

Leave a Reply