pam_wheel.so on SuSE

Jeff_Traigle · ‎09-07-2006

On our SuSE systems that have pam-0.80-6 and no NIS, I'm able to include the following line in /etc/pam.d/su and it restricts su to root to members of the wheel group as expected:

auth requisite pam_wheel.so group=wheel

However, on some older installs with pam-0.77-124 or pam-0.77-221 using NIS, this same line doesn't quite work. It seems to work as expected for local users, but, if the user is defined in NIS, it allows them to su to root regardless of the wheel restriction.

The complete /etc/pam.d/su is:

#%PAM-1.0
auth sufficient pam_rootok.so
auth requisite pam_wheel.so group=wheel
auth required pam_unix2.so nullok #set_secrpc
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#session required pam_homecheck.so
session required pam_unix2.so debug # none or trace

These are significantly different from the pam-0.80-6 entries:

#%PAM-1.0
auth sufficient pam_rootok.so
auth requisite pam_wheel.so group=wheel
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so

Anyone who knows PAM well want to take a stab at explaining this? A bug? A configuration problem?

--
Jeff Traigle

Ivan Ferreira · ‎09-07-2006

So, any of the versions works with NIS? Can you add the debug option to the pam_wheel module and post the syslog messages?

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff_Traigle · ‎09-07-2006

Ugh! Now it appears to be working properly even with the NIS users. Maybe it just needs to think about it for a while. :)

--
Jeff Traigle

Steven E. Protter · ‎09-07-2006

Shalom,

I believe it is a bug in the libwrap.so with tcp wrappers.

I don't know a lot about tcp_wrappers but just went through the basics during RHCE training.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Ryan Goh · ‎09-07-2006

Hi,

You can actually configure using webmin or Yast tool.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

pam_wheel.so on SuSE

pam_wheel.so on SuSE

Re: pam_wheel.so on SuSE

Re: pam_wheel.so on SuSE

Re: pam_wheel.so on SuSE

Re: pam_wheel.so on SuSE