Allow multiple groups to do su(1) with PAM
Rocky Hotas
rockyhotas at post.com
Tue May 9 13:49:03 UTC 2017
Hi!
A default FreeBSD 11.0 /etc/pam.d/su file contains the following lines:
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
Also LDAP users belonging to another group, say `remotewheel', should be allowed to make `su root'.
pam_group(8) seems not to allow multiple choices for the option `group', so a line for each allowed group must be included. Also, the lines should be `sufficient', because the success of one line automatically must exclude the other. I made these modifications:
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_group.so no_warn group=remotewheel root_only fail_safe ruser
auth sufficient pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
but with this configuration, the root password of the local system is never asked. It should, instead.
After having verified that the user who makes `su root' belongs to `remotewheel' or `wheel', the system should ask the root password. How is it possible to configure PAM this way?
Thank you anyway,
Rocky
More information about the freebsd-questions
mailing list