Environment
Novell Open Enterprise Server 2 (OES 2) Linux
SUSE Linux
Situation
Non-root users are able to use rlogin and rsh to another server as another user without being prompted for a password.
/etc/pam.d/rlogin
auth sufficient pam_securetty.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
/etc/pam.d/rlogin
auth sufficient pam_securetty.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
Resolution
Setting pam_securetty.so to sufficient in the auth section of the rsh or rlogin file allows authentication when the module return is PAM_SUCCESS.
Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.
DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.
Per the man pages of pam_securetty:
For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.
Default for SLES 10
/etc/pam.d/rlogin
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
Default for SLES 11
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.
DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.
Per the man pages of pam_securetty:
For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.
Default for SLES 10
/etc/pam.d/rlogin
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
Default for SLES 11
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session