Replacing passwordless root with a dom0 prompt

@taradiddles

Step 2. Configuring Fedora template to prompt Dom0 for any authorization request” no longer works in Fedora Core 39 template, because RedHat now has user authentication managed by authselect utility - so now /etc/pam.d/system-auth is a symlink to /etc/authselect/system-auth, automatically generated by authselect.

Ways to deal with it:

  • Either create a custom authselect profile with our auth policy:

    [root@fedora-39-x64]# authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
    [root@fedora-39-x64]# mv /etc/authselect/custom/sudo-dom0-prompt/system-auth /etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside
    [root@fedora-39-x64]# cp /etc/authselect/system-auth /etc/authselect/custom/sudo-dom0-prompt
    

    Now edit /etc/authselect/custom/sudo-dom0-prompt/system-auth, replace all lines beginning with “auth” with these lines:

    auth  [success=1 default=ignore]  pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$
    auth  requisite  pam_deny.so
    auth  required   pam_permit.so
    

    Then select new profile:

    [root@fedora-39-x64]# authselect select custom/sudo-dom0-prompt
    

    (Optional) Check that /etc/pam.d/system-auth has correct contents:

    [root@fedora-39-x64]# cat /etc/pam.d/system-auth
    
  • Or alternately opt out from authselect-managed configuration and then edit the static file /etc/pam.d/system-auth as before:

    [root@fedora-39-x64]# authselect opt-out
    

    I haven’t tried opting out - thought that if RedHat is moving ahead with authselect, it’s better to work with it, rather than disable it.

2 Likes

This works, thank you so much!

Also, for other users:

Require authentication for sudo. Replace the first line of /etc/sudoers.d/qubes with:

This is not necessarily the first line anymore. Replace the like that has NOPASSWD: all in it.

rm /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla

This file does not exist in Fedora templates anymore, at least not in the Fedora 40 GNOME one

1 Like

With the Whonix templates (I haven’t checked on Debian as I don’t use it)

These files no longer exist

  • /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
  • /etc/pam.d/su.qubes