user1 wants to su to user2 (both are non-root). When user1 runs su - user2, he's prompted for user2's password as expected, but the password is never accepted.
user1@host $ su - user2 (switch from user1 to user2)
Password:
su: incorrect password
user1@host $
user2 is a valid, unlocked account with a real shell specified in /etc/passwd. You can SSH as user2 to the box (ssh user2@host). Also, in my testing user1 and user2 have the same password, so it's not a matter of a password mismatch (supplying user2's password when user1's is expected, or vice versa).
Oddly, pam_tally2 increments user2's failed login but nothing is logged to /var/log/secure. For that matter, nothing is logged to anything else in /var/log, either.
I can work around this by adding this line to sudoers:user1 ALL=(ALL) /bin/su
... and running the command with sudo:user1@host $ sudo su - user2
However, I'd like to find out why I can't just run su.
This is a RHEL5 box that has STIGs applied automatically with Aqueduct, so I'm not sure what would have been changed in /etc/pam.d.
Answer
Not having your /etc/pam.d/su I can only guess that:
- probably
suis restricted to thewheelgroup usingauth required pam_wheel.so - the pam stack is misconfigured
For a hint on how to use pam_tally2 in RHEL5, check here,
No comments:
Post a Comment