[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM and su behavior


I'm experiencing unexpected PAM behavior under RHEL4.6 (pam-0.77-66.23). When I su to an account as a non-root user, the login failure counter is always updated for the account being su'd to, even when the su is successful.


auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid quiet account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules
session    required     /lib/security/$ISA/pam_selinux.so open
session    optional     /lib/security/$ISA/pam_xauth.so


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=10
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Is there something obvious wrong here?

Thanks in advance.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]