Bug 28757 - pam module pam_rhosts_auth.so has no impact on su
pam module pam_rhosts_auth.so has no impact on su
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-21 20:07 EST by Landon Curt Noll
Modified: 2007-04-18 12:31 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-21 20:07:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Landon Curt Noll 2001-02-21 20:07:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686)


One cannot make use of ~/.rhosts files to permit password-less su-ing
between
specific users.  The pam_rhosts_auth.so seems to not be honored by su or
the
pam_rhosts_auth.so is not correctly parsing ~/.rhosts.

Reproducible: Always
Steps to Reproduce:
1. Create a ~user1/.rhosts file, mode 0400, owned by user1, that contains
things like:
	localhost user2
	127.0.0.1 user2
	FQDN.thishost.com user2
	10.10.0.2 user2
2. Add the following line to /etc/pam.d/su:
	auth       sufficient	/lib/security/pam_rhosts_auth.so no_hosts_equiv
just above line:
	auth       required	/lib/security/pam_stack.so service=system-auth
3. login to user2 and:
	su - user1
	

Actual Results:  The su - user1 command prompted for a password.

Expected Results:  The pam_rhosts_auth.so should have consulted the
~user1/.rhosts file, matched
one of several possible lines for user2 and allowed user2 to su without a
password.
Comment 1 Nalin Dahyabhai 2001-02-26 18:32:28 EST
The 'su' program doesn't set the requesting host PAM item which the
pam_rhosts_auth module is used for (though the usage you suggest is intriguing
in its similarity to the authorization methods used by ksu, which is part of the
Kerberos package).  I suspect that what you're trying to do would be better
handled by the sudo package, though.

Note You need to log in before you can comment on or make changes to this bug.