[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

su and PAM: follow-up



Don't everyone chime in with solutions at once :-)

Another couple of pieces to the puzzle:

1) This behavior seems to have begun after
   our last update cycle (Feb '08)

2) I can fix the problem with the "su" file
   from RH AS 3:

auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_stack.so service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so

With this file in place, su behaves as expected:

1) the login failure tally only increments when the wrong
   password is supplied

2) the login failure tally is reset to 0 once a successful
   login is achieved

3) once the tally maximum is achieved, no further logins or
   su's to the account are allowed until the tally is reset.

I'll stick with the old PAM stack for su for now as a workaround.

Russell


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]