{ 13 comments… read them below or add one }

1 ashwani June 10, 2009 at 10:11 pm

wat a good idea sir ji ….Thanks ;-)

Reply

2 yash August 11, 2010 at 3:28 am

This doesn’t work. I followed both steps … but still all users can login successfully ! >.<

Reply

3 scott rineer March 30, 2011 at 4:24 pm

I second this, it does not work
running on RHEL5.6 x64

Reply

4 Denis April 12, 2011 at 3:28 pm

Doesn’t work, running CentOS 5.5

Reply

5 popfobia May 5, 2011 at 12:07 pm

I need some users can do “su – ” to other users but not root how can i do that?

Reply

6 Remy May 6, 2011 at 12:42 am

Hi,
Make sure ‘openssh-askpass’ package is installed and ‘UsePAM yes’ is there in /etc/ssh/sshd_config

Reply

7 popfobia May 16, 2011 at 7:47 pm

the problem is, if I want to login via ssh with the user pedro. and with pedro can do “su – ” to another user, for example apache

Reply

8 Remy May 18, 2011 at 8:04 pm

Check for “Restricting su Access to System and Shared Accounts in” http://www.puschitz.com/SecuringLinux.shtml

Reply

9 popfobia May 18, 2011 at 9:26 pm

thanks i’m gonna try

Reply

10 popfobia May 18, 2011 at 9:44 pm

there is a problem with that, is like use wheel group, i need normal user can do su to other normal user but no to root.

for example: user1 can do su to apache, but user1 cannot do su to root

Reply

11 heegemcgee May 3, 2012 at 9:30 pm

Tested the method above and couldn’t figure out why it wasn’t working for ssh. Looks like /etc/pam.d/sshd doesn’t call system-auth, it calls password-auth. You can either put the line in /etc/pam.d/sshd at the top, or in /etc/pam.d/password-auth at the top. That will keep ssh users out who aren’t in the listfile.

Reply

12 kris January 15, 2013 at 8:27 pm

I was trying to get this to work with kerberized ssh and was having all sorts of trouble, even after I figured out that sshd on RHEL/Fedora uses password-auth instead of system-auth. Then I figured out that when using kerberos for authentication, sshd will skip the auth parts of PAM. To get pam_listfile to work in this case you have to move the rule from the auth section to the session section in password-auth.

Reply

13 Philipp May 28, 2012 at 3:43 pm

Tutorial is great..
But there is one big problem..
You used requiered instead of requisite..

http://linux.die.net/man/5/pam.d

required
failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.

requisite
like required, however, in the case that such a module returns a failure, control is directly returned to the application.(…)

Thats the problem :)

Reply

Leave a Comment

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
What is 14 + 13 ?
Please leave these two fields as-is:
Solve the simple math so we know that you are a human and not a bot.




Tagged as: , , , ,

Previous post:

Next post: