Hi, Im using just smartcards for auth prosess. And im trying to su to root yes. It worked grate but when patch was applied, things din't work out.
Does it work for you? Attrib Details for for user root cert: -rw-r--r-- 1 root root 272 Oct 27 17:26 user.cert Attrib Details for for user kevin cert: -rw-r--r-- 1 kevin users 272 Oct 27 17:27 user.cert My pam.d/su file: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. #auth required /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow # Uncomment this to allow users in the wheel group to su without # entering a passwd. #auth sufficient /lib/security/pam_wheel.so use_uid trust # Alternatively to above, you can implement a list of users that do # not need to supply a passwd with a list. #auth sufficient /lib/security/pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass # Comment this to allow any user, even those not in the 'wheel' # group to su auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_musclecard.so service=system-auth #auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so Thanks, keep up the good work! Kevin Gentoo Linux > >> I applied the patch .. it fu**ed it all up when i made a new install >> with patch applied . >> Now it sasy su- Auth Faild Sorry! even when the card is inserted! > > Hmm. > > Are you using passwords and smartcards? Or just smartcards for > authentication. > (i.e. what is your /etc/pam.d/su file say?) > Are you doing "su" to root, or another user? > > > Have to enabled the Debug option in /etc/musclepam/pam-muscle.conf > > Does the system log say anything? > > One of the changes I made was to make sure the file containing the user's > certificate is not group or world writable. If it was, then anyone in > those groups could change the user's public certificate. > > > So if you try to > "su george" > > then the software looks at the home directory, say it's /home/george and > does the following checks: > > /home/george/.muscle/user.certs > /home/george/.muscle/ > /home/george/ > /home > / > > if ANY of these files are group or world writable, the authentication > will fail, and the system log will report the error. Note that what > George does with his home directory may be different from Kevin's home > directory. So "su george" might fail, while "su kevin" might work. > > _______________________________________________ > Muscle mailing list > [EMAIL PROTECTED] > http://lists.drizzle.com/mailman/listinfo/muscle > > Med vennelig hilsen Kevin Andre Vatn _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
