su and PAM: follow-up
Russell N. Price
rprice at honlab.nmfs.hawaii.edu
Wed Mar 5 19:52:28 UTC 2008
Don't everyone chime in with solutions at once :-)
Another couple of pieces to the puzzle:
1) This behavior seems to have begun after
our last update cycle (Feb '08)
2) I can fix the problem with the "su" file
from RH AS 3:
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in
the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust
use_uid
# Uncomment the following line to require a user to be in the
"wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so
use_uid
auth required /lib/security/$ISA/pam_stack.so
service=system-auth
account required /lib/security/$ISA/pam_stack.so
service=system-auth
password required /lib/security/$ISA/pam_stack.so
service=system-auth
session required /lib/security/$ISA/pam_stack.so
service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
With this file in place, su behaves as expected:
1) the login failure tally only increments when the wrong
password is supplied
2) the login failure tally is reset to 0 once a successful
login is achieved
3) once the tally maximum is achieved, no further logins or
su's to the account are allowed until the tally is reset.
I'll stick with the old PAM stack for su for now as a
workaround.
Russell
More information about the Pam-list
mailing list