Bug 28757

Summary: pam module pam_rhosts_auth.so has no impact on su
Product: [Retired] Red Hat Linux Reporter: Landon Curt Noll <redhat-mail>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-22 01:07:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Landon Curt Noll 2001-02-22 01:07:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686)


One cannot make use of ~/.rhosts files to permit password-less su-ing
between
specific users.  The pam_rhosts_auth.so seems to not be honored by su or
the
pam_rhosts_auth.so is not correctly parsing ~/.rhosts.

Reproducible: Always
Steps to Reproduce:
1. Create a ~user1/.rhosts file, mode 0400, owned by user1, that contains
things like:
	localhost user2
	127.0.0.1 user2
	FQDN.thishost.com user2
	10.10.0.2 user2
2. Add the following line to /etc/pam.d/su:
	auth       sufficient	/lib/security/pam_rhosts_auth.so no_hosts_equiv
just above line:
	auth       required	/lib/security/pam_stack.so service=system-auth
3. login to user2 and:
	su - user1
	

Actual Results:  The su - user1 command prompted for a password.

Expected Results:  The pam_rhosts_auth.so should have consulted the
~user1/.rhosts file, matched
one of several possible lines for user2 and allowed user2 to su without a
password.

Comment 1 Nalin Dahyabhai 2001-02-26 23:32:28 UTC
The 'su' program doesn't set the requesting host PAM item which the
pam_rhosts_auth module is used for (though the usage you suggest is intriguing
in its similarity to the authorization methods used by ksu, which is part of the
Kerberos package).  I suspect that what you're trying to do would be better
handled by the sudo package, though.