List Info

Thread: PAM and su behavior
PAM and su behavior
country flaguser name
United States		 2008-03-04 19:57:57 
Hello,

I'm experiencing unexpected PAM behavior under RHEL4.6 
(pam-0.77-66.23). When I su to an account as a non-root
user, 
the login failure counter is always updated for the account

being su'd to, even when the su is successful.

/etc/pam.d/su:

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in

the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so
trust 
use_uid
# Uncomment the following line to require a user to be in
the 
"wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so 
use_uid
auth       required     /lib/security/$ISA/pam_stack.so 
service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so

uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so 
service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so 
close
session    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
# pam_selinux.so open and pam_xauth must be last two session

rules
session    required     /lib/security/$ISA/pam_selinux.so
open
session    optional     /lib/security/$ISA/pam_xauth.so

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is

run.
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so 
onerr=fail no_magic_root
auth        sufficient    /lib/security/$ISA/pam_unix.so 
likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_tally.so 
per_user deny=3 no_magic_root reset
account     sufficient   
/lib/security/$ISA/pam_succeed_if.so 
uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so

retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so 
nullok use_authtok md5 shadow remember=10
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Is there something obvious wrong here?

Thanks in advance.

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
http
s://www.redhat.com/mailman/listinfo/pam-list
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )