Hi, OK, so to confirm this cant be done in a centralised way via IPA?
In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com] Sent: Tuesday, 17 July 2012 9:38 a.m. To: email@example.com Subject: Re: [Freeipa-users] stopping su - On 07/16/2012 01:32 PM, Steven Jones wrote: > I have craeted a sshd rule only for the HBAC, but I find a std user can > su - to root, is this correect behavior? > > How do I? or can I? stop this unless explicitly allowed? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > You need to control this via PAM. So for me I restrict su to only be allowed for members of the wheel group, from /etc/pam.d/su: auth required pam_wheel.so use_uid There are comments in the file that will get you where you want to go. -Erinn _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users