PAM help needed (need su access over ssh connection)

Hi:

I installed RedHat Fedora FC2 last night. Pretty slick, except I'm at a
standstill regarding security settings. The computer is in my basement
and I access it almost exclusively over ssh.

I cannot use the su command over a secure shell session. The same
account can use su at the local console. I'm looking for the easiest
way to open this up, and I believe PAM is handling all of the
authentication on this system. I'm currently reading about PAM, but I'm
absolutely lost and need to open this up immediately.

Any help regarding more lenient rules for my PAM setup wrt su would
help. I have no idea if the /etc/pam.d/su or /etc/pam.d/sshd (or
another file) is controlling the behaviour of su over remote connections.

Thanks in advance.

If anyone could help me out with where to start looking. I'm not even
sure if it's pam, or security settings or what is controlling this
behaviour (nothing can be run as root, but only from any remote source
be it vnc, ssh, etc.). root is easily accessed from all of these
sources at the console.

Thanks.




pawn wrote:
> Hi:
>
> I installed RedHat Fedora FC2 last night. Pretty slick, except I'm at a
> standstill regarding security settings. The computer is in my basement
> and I access it almost exclusively over ssh.
>
> I cannot use the su command over a secure shell session. The same
> account can use su at the local console. I'm looking for the easiest
> way to open this up, and I believe PAM is handling all of the
> authentication on this system. I'm currently reading about PAM, but I'm
> absolutely lost and need to open this up immediately.
>
> Any help regarding more lenient rules for my PAM setup wrt su would
> help. I have no idea if the /etc/pam.d/su or /etc/pam.d/sshd (or
> another file) is controlling the behaviour of su over remote connections.
>
> Thanks in advance.
>

In article <%bQqd.14113$hp3.2058493@read2.cgocable.net>,
pawn <pawn@porterhouse.com> wrote:

>I cannot use the su command over a secure shell session. The same
>account can use su at the local console. I'm looking for the easiest
>way to open this up, and I believe PAM is handling all of the
>authentication on this system. I'm currently reading about PAM, but I'm
>absolutely lost and need to open this up immediately.

I'm a PAM beginner too, but if you look in /etc/pam.d, you should see
files specifying the setup for each PAM-savvy application. Thus,
/etc/pam.d/su should contain the settings for su. There might be
something in there that checks the terminal type, that you can disable.

Lawrence D'Oliveiro wrote:

> In article <%bQqd.14113$hp3.2058493@read2.cgocable.net>,
> I'm a PAM beginner too, but if you look in /etc/pam.d, you should see
> files specifying the setup for each PAM-savvy application. Thus,
> /etc/pam.d/su should contain the settings for su. There might be
> something in there that checks the terminal type, that you can disable.

Thanks for the response. Yeah, I got that far yesterday. I've tried
playing around quite a bit with the settings in /etc/pam.d, like
changing the su arguments to what I believe should be stock unix style
authorization (using the pam_unix.so module) but no luck.

But I *can* get access by deleting the su file and changing the "other"
file to permit everything. I.e., as in, too much access ;^)

That's no good, but at least I can open it long enough to walk upstairs
and log in and get su from a secure shell then close up the su and other
files again. But now I'm pretty confident it's a PAM thing. I'll worry
about it later, since I need to configure a lot of stuff before worrying
about root access (I'll leave it paranoid for now).

The call is still out there for anyone who can offer a simple way to
allow gaining su from remote sources in Redhat Fedora FC2.

Thanks.

pawn wrote:
> Lawrence D'Oliveiro wrote:
>
>> In article <%bQqd.14113$hp3.2058493@read2.cgocable.net>,
>
> > I'm a PAM beginner too, but if you look in /etc/pam.d, you should see
>
>> files specifying the setup for each PAM-savvy application. Thus,
>> /etc/pam.d/su should contain the settings for su. There might be
>> something in there that checks the terminal type, that you can disable.
>
>
> Thanks for the response. Yeah, I got that far yesterday. I've tried
> playing around quite a bit with the settings in /etc/pam.d, like
> changing the su arguments to what I believe should be stock unix style
> authorization (using the pam_unix.so module) but no luck.
>
> But I *can* get access by deleting the su file and changing the "other"
> file to permit everything. I.e., as in, too much access ;^)
>
> That's no good, but at least I can open it long enough to walk upstairs
> and log in and get su from a secure shell then close up the su and other
> files again. But now I'm pretty confident it's a PAM thing. I'll worry
> about it later, since I need to configure a lot of stuff before worrying
> about root access (I'll leave it paranoid for now).
>
> The call is still out there for anyone who can offer a simple way to
> allow gaining su from remote sources in Redhat Fedora FC2.
>
> Thanks.
>
>
>
I tried telnet and ssh and can su and "su -"
from regular user to root when connected from a FC1 to a FC2 box.
I can ssh in as root. I cannot telnet in as root.

I do not know if pam is configured. The FC2
is "out of the box", with no customization. Here is the pam.d/su file.

===================begin pam.d/su==============================
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_selinux.so multiple
session optional /lib/security/$ISA/pam_xauth.so
===================end pam.d/su==============================

line 2 looks most promising.

Hope this helps.