su between regular user accounts fails with “su: incorrect password”

Posted on

su between regular user accounts fails with “su: incorrect password” – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, sudo, su, , .

user1 wants to su to user2 (both are non-root). When user1 runs su - user2, he’s prompted for user2’s password as expected, but the password is never accepted.

user1@host $  su - user2   (switch from user1 to user2)
su: incorrect password
user1@host $

user2 is a valid, unlocked account with a real shell specified in /etc/passwd. You can SSH as user2 to the box (ssh user2@host). Also, in my testing user1 and user2 have the same password, so it’s not a matter of a password mismatch (supplying user2’s password when user1’s is expected, or vice versa).

Oddly, pam_tally2 increments user2’s failed login but nothing is logged to /var/log/secure. For that matter, nothing is logged to anything else in /var/log, either.

I can work around this by adding this line to sudoers:
user1 ALL=(ALL) /bin/su

… and running the command with sudo:
user1@host $ sudo su - user2

However, I’d like to find out why I can’t just run su.

This is a RHEL5 box that has STIGs applied automatically with Aqueduct, so I’m not sure what would have been changed in /etc/pam.d.

Solution :

Not having your /etc/pam.d/su I can only guess that:

  • probably su is restricted to the wheel group using auth required
  • the pam stack is misconfigured

For a hint on how to use pam_tally2 in RHEL5, check here,