Move the auth required pam_deny.so line down to the last line of auth section.
On 2018-05-02 17:07, Ng Keng Lim wrote:
Hi List, We currently have the following config in /etc/pam.d/system-auth on a RHEL 6.3 staging server: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so #auth sufficient pam_fprintd.so #auth sufficient pam_unix.so nullok try_first_pass #auth requisite pam_succeed_if.so uid >= 500 quiet #auth required pam_deny.so auth required pam_faillock.so preauth audit silent deny=5 auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=5 auth sufficient pam_faillock.so authsucc audit deny=5 account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so After testing in our staging server, “su - root” and “sudo su – root” command are not working if "auth required pam_deny.so" is enable in /etc/pam.d/system-auth Would like to check if there are any areas that might be misconfigure. Thanks. Regards, Keng Lim _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
