Bill Beeman wrote:
This is consistent, whether from console, existing command line, or ssh from elsewhere, and works whether logging in as root, or by su from another user. In essence, no root security.
Ok, so it's almost certainly in system-auth then.
For comparison, I have the following system-auth 'auth' section:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_ldap.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so
What does yours look like in it's entirety?
If I remove LDAP, I see the following behavior on an otherwise fresh FC1 system:
[bevan@germanium ~]> su
Password: <no password>
su: incorrect password
[bevan@germanium ~]> su
Password: <correct password>
[root@germanium bevan]#
However, comparing /etc/pam.d/system-auth with system-auth.rpmnew, I noticed the line
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
That's normal and generally correct.
in both. removing "likeauth nullok" seems to solve the problem, but leaves the question of how it got that way. System-auth notes that it will be regenerated and user changes discarded when authconfig is run. I'll play with that a bit, but don't recall running that before. Anyone have any ideas what may have generated this?
Hmm. Could it be that your root user really -has- a null password?
The situation (both null and true password work) could come about from a situation where you're using an external authentication (like LDAP).
Example: -- /etc/pam.d/system-auth -- auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass --
If root has a null password in /etc/shadow, but there's also a 'root' user in LDAP with a real password, the null passwd will succeed for the local user through pam_unix. Using the LDAP password would fail pam_unix but pass pam_ldap. pam_unix should be logging into /var/log/messages during this process... what do you see there when you su with a null password and with a real password?
Also, what does the root entry in /etc/shadow look like (obfuscate if neccessary)?
