I hate PAM

[Mistoffeles]

ok, I don't like PAM, it's complicated and makes no sense to me at all, but I am stuck with it on my new RHEL 5.3 x86_64 server (tried to remove it once and the whole server blew up, figuratively speaking).

What I want to do is block root from logging in via ssh, but for some reason I cannot get su to work in concert with PAM. Even at the console (mouse, keyboard and monitor connected to the physical box) I am unable to su to root from any user on the system. There are only three users other than root and they are all in the wheel group.

When I try to su to root, the message I get is:

su: incorrect password

which I know is horse puckey because I can log into root using the same password from the console, but I can't su to root from my login whether I am at the console or using PuTTY.

I have tried it with various lines in /etc/pam.d/su, such as:

auth required pam_wheel.so use_uid

auth required pam_wheel.so group=wheel (seems redundant)

auth required /lib/security/pam_wheel.so use_uid

auth required /lib64/security/pam_wheel.so use_uid (x86_64 system)


also tried the last two with the group=wheel bit too.


If I had enough hair to get a grip on, it would all be ripped out by now.

[lomcevak]

If you want to prevent remote logins to root via SSH then you need to edit /etc/ssh/sshd_config and set:

PermitRootLogin no

then:

/etc/init.d/sshd restart

I'm not 100% sure since I never tried what you did with PAM on one of my servers but I think the account you're using to 'su' to root with has to be part of the 'wheel' group. You're trying to restrict which users can 'su' to root.

EDIT: Sorry I missed the part of your post that says the accounts are part of the 'wheel' group. I say edit sshd_config and back out what you did with PAM.

[Mistoffeles]

The whole point is to make the server more secure. I know how to configure sshd to disallow remote root, I have that working on other servers. The point with this server is to build a long-term multisite web server with much better security than my current web server.

I've done what is described in the documentation, and on many Linux sites that provide instructions on setting up a "perfect" web server. The only thing not working is the ability to use su secured by PAM. Heck, I can't even verify which authentication module is failing to work properly.

- Misty

If you want to prevent remote logins to root via SSH then you need to edit /etc/ssh/sshd_config and set:

PermitRootLogin no

then:

/etc/init.d/sshd restart

I'm not 100% sure since I never tried what you did with PAM on one of my servers but I think the account you're using to 'su' to root with has to be part of the 'wheel' group. You're trying to restrict which users can 'su' to root.

EDIT: Sorry I missed the part of your post that says the accounts are part of the 'wheel' group. I say edit sshd_config and back out what you did with PAM.