reassign 339118 libpam-modules reassign 336513 libpam-modules severity 336513 important merge 336513 339118 354333 thanks
On Sat, Feb 25, 2006 at 01:37:45PM +0100, Roberto Suarez Soto wrote: > Package: libpam-modules > Version: 0.79-3.1 > Severity: important > After the upgrade to 0.79-3.1, pam_rootok stopped working. This is my > /etc/pam.d/su: > auth required pam_wheel.so group=wheel > auth sufficient pam_rootok.so debug > auth required pam_unix.so > account required pam_unix.so > session required pam_unix.so > I noticed this problem when the init.d for fetchmail asked for a > password. Afterwards, I tried to do a "su - fetchmail", and this is what > appears in auth.log: > Feb 25 13:29:58 cheetah PAM-rootok[8830]: authentication succeeded > Feb 25 13:29:59 cheetah su[8830]: (pam_unix) authentication failure; logname= > uid=0 euid=0 tty=tty1 ruser=root rhost= user=fetchmail > Feb 25 13:30:01 cheetah su[8830]: pam_authenticate: Permission denied > Feb 25 13:30:01 cheetah su[8830]: FAILED su for fetchmail by root > As you can see, pam_rootok logs that the authentication succeeded, but > it doesn't work anyway. Maybe the problem is not really in pam_rootok but in > another place, I don't know. Yes, the problem is that you have 'required pam_wheel' listed *before* pam_rootok, and pam_wheel is failing. This is a previously reported behavior change in pam_wheel in pam 0.79. But since it's pretty obvious that you want pam_rootok.so to take precedence here, you should move it to be the first module in the authentication stack. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature