Seeking advice for auth required pam_deny.so
yuwang
yuwang at cs.fsu.edu
Wed May 2 22:47:13 UTC 2018
Move the auth required pam_deny.so line down to the last line of auth
section.
On 2018-05-02 17:07, Ng Keng Lim wrote:
> Hi List,
>
> We currently have the following config in /etc/pam.d/system-auth on a
> RHEL 6.3 staging server:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> #auth sufficient pam_fprintd.so
> #auth sufficient pam_unix.so nullok try_first_pass
> #auth requisite pam_succeed_if.so uid >= 500 quiet
> #auth required pam_deny.so
> auth required pam_faillock.so preauth audit silent deny=5
> auth [success=1 default=bad] pam_unix.so
> auth [default=die] pam_faillock.so authfail audit deny=5
> auth sufficient pam_faillock.so authsucc audit deny=5
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> After testing in our staging server, “su - root” and “sudo su – root”
> command are not working if "auth required pam_deny.so" is enable in
> /etc/pam.d/system-auth
> Would like to check if there are any areas that might be misconfigure.
>
> Thanks.
>
> Regards,
> Keng Lim
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list