[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Seeking advice for auth required pam_deny.so




Move the auth required pam_deny.so line down to the last line of auth section.


On 2018-05-02 17:07, Ng Keng Lim wrote:
Hi List,

We currently have the following config in /etc/pam.d/system-auth on a
RHEL 6.3 staging server:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
#auth      sufficient    pam_fprintd.so
#auth      sufficient    pam_unix.so nullok try_first_pass
#auth      requisite     pam_succeed_if.so uid >= 500 quiet
#auth      required      pam_deny.so
auth        required      pam_faillock.so preauth audit silent deny=5
auth        [success=1 default=bad] pam_unix.so
auth        [default=die] pam_faillock.so authfail audit deny=5
auth        sufficient    pam_faillock.so authsucc audit deny=5
account  required      pam_unix.so
account  sufficient    pam_localuser.so
account  sufficient    pam_succeed_if.so uid < 500 quiet
account  required      pam_permit.so

After testing in our staging server, “su - root” and “sudo su – root”
command are not working if "auth required pam_deny.so" is enable in
/etc/pam.d/system-auth
Would like to check if there are any areas that might be misconfigure.

Thanks.

Regards,
Keng Lim




_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]