> > Normally the 'auth' entry in /etc/pam.d/su would be something that makes you > > enter the password for the new user unless you are root or a member of a > > trusted group. Isn't having to know the password enough to control the > > operation? > > Under normal circumstances I would agree that simply knowing the password > would be enough control. I have a situation where I have an application > that can only do traditional unix passwd/shadow authentication which > requires knowledge of the service account password. I do not however want > to allow someone who knows the password (did I mention that I believe the > application stores the password in clear text?) to be able to get a shell > as the application user without using a logged shell. As a result, I use > Enterprise Audit Shell controlled with sudo access to allow logged shell > access. I use DenyGroup in sshd_config as well as a pam_listfile in > /etc/pam.d/su to prevent any unapproved type of shell access as this user. > I meet similar case, but I have make the pam_sm_authenticate to verify whether the user is legal, which have different function with that decide who can call su. Therefore, I have to do this by other hooks, such pam_sm_acct_mgt, pam_sm_authtok, etc. Why I can not return simply PAM_AUTH_ERR in pam_sm_authenticate hook to prevent the user's su operation? I must accomplish my aim by authentication hook, doesn't it? _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
