su: incorrect password

psuresh · 06-04-2006, 11:07 PM

hi ,

Today i have one problem when i change the user account by using 'su - ' command.
If I use "su -" command it will display following message "incorrect password".

Do you have any troubleshooting procedures or fixes for this issue? Any help would be much appreciated. Thanks.

prozac · 06-04-2006, 11:15 PM

'su -' only is for login in as root and you should supply your root password when it asks for one. you can do 'su - someuser' when you are root and login as someuser.

gilead · 06-04-2006, 11:17 PM

Do you mean that you put in a password and it errors? The password required with su is the one belonging to the account that you are switching to. sudo is the one that uses your account's password.

Or did you mean that you don't get the chance to enter a password?

psuresh · 06-05-2006, 06:14 AM

Yes i don't get the chance to enter the password.

gilead · 06-05-2006, 02:35 PM

What distribution are you using? At the moment, it sounds like a redhat based distro and there might be a problem with PAM.

psuresh · 06-06-2006, 09:23 AM

I am using redhat 8

gilead · 06-06-2006, 02:21 PM

It could be that PAM needs to be re-configured. I don't use PAM - I'd suggest asking one of the mods if they can move this thread to the Redhat forum so that other PAM users can help.

tcegrid · 04-19-2007, 06:48 AM

Dear All,
I am using RHEL-4 and just now I upgraded my system. When I enter a command su - username. It shows incorrect password. when I create a new user now also I could not swith to that user account. I searched all the solution for this issue in the net.It does not work. Kindly give me your suggestion.
Regards,
Thamizh

fur · 04-19-2007, 09:55 PM

Can you post this file..

/etc/pam.d/su

Have you done any recent software updates?

tcegrid · 04-20-2007, 01:32 AM

Quote:

Originally Posted by fur

Can you post this file..

/etc/pam.d/su

Have you done any recent software updates?

yes. I updated.

tcegrid · 04-20-2007, 01:39 AM

Yes. I updated my system. After that only I have faced this problem.
here is my /etc/pam.d/su file

#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so

Regards,
Thamizh P

ljs662_removed · 04-20-2007, 02:48 AM

Hi everyone :-)

Just to clear up what su does...
If you are user other than root, you can use su to become root, if you know the root password.
If you are already root, then you can type su [user] and you will become that user, some of the previous posts seem to not quite understand the use of su, but as far as the PAM issue with Redhat goes, I have absolutely no idea, I have no experience with RedHat sorry!

nics · 04-20-2007, 06:39 AM

here is the solution to ur problem
sign in as root
and then set the sticky bit of /etc/shadow and /usr/bin/passwd
if it still not work set sticky bit to /etc/passwd file..
command is
# chmod 1700 /usr/bin/passwd
# chmod 1700 /etc/shadow
# chmod 1700 /etc/passwd

then again sign in as normal user in another terminal and try to switch user..

win32sux · 04-20-2007, 11:21 AM

Quote:

Originally Posted by nics

here is the solution to ur problem
sign in as root
and then set the sticky bit of /etc/shadow and /usr/bin/passwd
if it still not work set sticky bit to /etc/passwd file..
command is
# chmod 1700 /usr/bin/passwd
# chmod 1700 /etc/shadow
# chmod 1700 /etc/passwd

then again sign in as normal user in another terminal and try to switch user..

huh?? wait, what problem are you referring to?? cuz /etc/shadow and /etc/passwd don't need any special permissions... on most distros 644 will suffice for /etc/passwd (root:root) and 640 will suffice for /etc/shadow (root:shadow)... why would you want to give them a sticky bit and make them executable??

plus if one were to give /usr/bin/passwd the perms you are suggesting then nobody would be able to use it except root... what you want is to SUID it and let users execute it, like:

Code:

chown root:root /usr/bin/passwd

chmod 4755 /usr/bin/passwd

fur · 04-20-2007, 09:49 PM

Now do this at your own risk, and understand this is just a guess.

Make a backup copy of that "su" pam file just in case you need to restore it.

Code:

session    required     /lib/security/$ISA/pam_selinux.so open multiple

I believe this is the line that is messing su up.

Changing "required" to "optional" may work, but again thats a guess.

However I think what that line does is denies access to su unless the pam su file is configured with a certain allow rule. Like the rootmembers-access or wheel group based su.

So you could also try to change

Code:

# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid

to

Code:

# Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required /lib/security/$ISA/pam_wheel.so use_uid

Then add the user you are trying to su as to the wheel group.

Manually edit /etc/group

wheel:*:0:root,username