User can't "su -" to root Post: 302989815

Sponsored Content

Operating Systems Linux User can't "su -" to root Post 302989815 by Gabriander on Wednesday 18th of January 2017 02:34:33 PM

01-18-2017

Registered User

Code:

server532:root:/etc/pam.d# cat system-auth-su
auth     required       pam_env.so
auth     sufficient     pam_fprintd.so
unlock_time=600
auth     sufficient     pam_unix.so nullok try_first_pass
auth     sufficient     pam_ldap.so try_first_pass ignore_unknown_user
auth     [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth     sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600
auth     required       pam_deny.so

account  required       pam_unix.so
account  sufficient     pam_localuser.so
account  sufficient     pam_succeed_if.so uid < 1000 quiet
account  required       pam_permit.so

password   required     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 lcredit=-1
password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password   required     pam_deny.so

session optional        pam_keyinit.so revoke
session required        pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required        pam_unix.so

Quote:

- Can we exclude the obvious difference that in the first case the root password must be entered and in the second case the user password?

Yes, we can exclude it.

Gabriander

View Public Profile for Gabriander

Find all posts by Gabriander

9 More Discussions You Might Find Interesting

1. HP-UX

Creating a "semi" root user? Is it possible?

Hello All, I work as a system admin at a company of about 600 users on a HP-UX server. We have an IT department of about 15. My problem is that we give out the root password to the majority of them, they are phone support techs, as they need to get in to kill processes and setup users and...

2. Solaris

sendmail "root... User address required." error

I'm running sendmail (8.13.8+Sun/8.13.8/Submit) solaris 10. When I send mail to root at the command line (whether I use a full-qualified address or just root), I get the error message root... User address required. Sending mail to root (either at the command line or in a cron job),...

3. UNIX for Dummies Questions & Answers

Possible to give non root user sudo to "crontab -l"

Does anyone know if this is possible? I want to give some users access to root's crontab but only with a read privilege. Is this possible to do or can only root or people with full root sudo view root's cron?

4. Red Hat

error"warning: user owen does not exist - using root"?

I am trying to install openmotif22-2.2.3-18.src.rpm, after I typed in " rpm -i openmotif22-2.2.3-18.src.rpm" the following message comes out: warning: user owen does not exist - using root warning: group owen does not exist - using root I am install openmotif under root account. Do...

5. UNIX for Advanced & Expert Users

How to allow particular user only to login as a root using "ssh" ?

Q1 I want to allow particular user only to login into root using ssh. I have set PermitRootLogin no for security purpose but I want to allow some of the users to login as a root using ssh how to do this? I have tried with Allowusers user1 user2 its working for only the user1 and...

6. Solaris

"! bad user (root)" in cron log

I am getting the following error in the cron log: ! bad user (root) Wed Sep 22 14:30:00 2010 < root 8989 c Wed Sep 22 14:30:00 2010 rc=1 What does this mean?

7. AIX

Change "root" to "root.admin" in outgoing e-mails

Our AIX servers send e-mails which have the "from" address set to "root@company.com" for our root user ("C{M}company.com" in /etc/sendmail.cf). The problem is that when bad e-mails are sent out or rejected by remote servers, they are being returned and delivered to e-mail box of "Mary Root". ...

8. Shell Programming and Scripting

Root running a script calling to scp using user "xyz" is not authenticating!

Close duplicate thread.

9. UNIX for Beginners Questions & Answers

How to run root level command , if user has "su -" permission in sudoers provided?

I am looking t run root level command on multiple servers, but all servers have only "su - " permission available in sudoers. please help me if any way that I can run command using help of "su -" My script for hosts in `cat hosts.txt`; do echo "###########################Server Name-...

LEARN ABOUT CENTOS

pam_deny

PAM_DENY(8)							 Linux-PAM Manual						       PAM_DENY(8)

NAME

       pam_deny - The locking-out PAM module

SYNOPSIS

       pam_deny.so

DESCRIPTION

       This module can be used to deny access. It always indicates a failure to the application through the PAM framework. It might be suitable
       for using for default (the OTHER) entries.

OPTIONS

       This module does not recognise any options.

MODULE TYPES PROVIDED

       All module types (account, auth, password and session) are provided.

RETURN VALUES

       PAM_AUTH_ERR
	   This is returned by the account and auth services.

       PAM_CRED_ERR
	   This is returned by the setcred function.

       PAM_AUTHTOK_ERR
	   This is returned by the password service.

       PAM_SESSION_ERR
	   This is returned by the session service.

EXAMPLES

	   #%PAM-1.0
	   #
	   # If we don't have config entries for a service, the
	   # OTHER entries are used. To be secure, warn and deny
	   # access to everything.
	   other auth	  required	 pam_warn.so
	   other auth	  required	 pam_deny.so
	   other account  required	 pam_warn.so
	   other account  required	 pam_deny.so
	   other password required	 pam_warn.so
	   other password required	 pam_deny.so
	   other session  required	 pam_warn.so
	   other session  required	 pam_deny.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(8)

AUTHOR

       pam_deny was written by Andrew G. Morgan <morgan@kernel.org>

Linux-PAM Manual						    09/19/2013							       PAM_DENY(8)