Bug 28757 - pam module pam_rhosts_auth.so has no impact on su
Summary: pam module pam_rhosts_auth.so has no impact on su
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-22 01:07 UTC by Landon Curt Noll
Modified: 2007-04-18 16:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-22 01:07:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Landon Curt Noll 2001-02-22 01:07:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686)

One cannot make use of ~/.rhosts files to permit password-less su-ing
specific users.  The pam_rhosts_auth.so seems to not be honored by su or
pam_rhosts_auth.so is not correctly parsing ~/.rhosts.

Reproducible: Always
Steps to Reproduce:
1. Create a ~user1/.rhosts file, mode 0400, owned by user1, that contains
things like:
	localhost user2 user2
	FQDN.thishost.com user2 user2
2. Add the following line to /etc/pam.d/su:
	auth       sufficient	/lib/security/pam_rhosts_auth.so no_hosts_equiv
just above line:
	auth       required	/lib/security/pam_stack.so service=system-auth
3. login to user2 and:
	su - user1

Actual Results:  The su - user1 command prompted for a password.

Expected Results:  The pam_rhosts_auth.so should have consulted the
~user1/.rhosts file, matched
one of several possible lines for user2 and allowed user2 to su without a

Comment 1 Nalin Dahyabhai 2001-02-26 23:32:28 UTC
The 'su' program doesn't set the requesting host PAM item which the
pam_rhosts_auth module is used for (though the usage you suggest is intriguing
in its similarity to the authorization methods used by ksu, which is part of the
Kerberos package).  I suspect that what you're trying to do would be better
handled by the sudo package, though.

Note You need to log in before you can comment on or make changes to this bug.