I can no longer 'su' into the root user on the server or any client
using ssh or sitting locally at the machines. Terminal just
responds by saying Sorry. When I try it on the server I get the
following errors from the system.log:
Aug 22 11:21:11 ns su: pam_authenticate: Permission denied
Aug 22 11:21:16 ns DirectoryService[55]: Failed Authentication
return is being delayed due to over five recent auth failures for
username: root.
I am not sure why it says I have tried five times when I only tried
once from the terminal. Also I can log into the root user
graphically no problem (server and clients) and this has helped
work around the problem. I have also found that I can gain root
access by typing:
sudo su root
Argh. That is a horrible combination.
OS X has always worked better with 'sudo' than 'su'. There are
security issues surrounding both applications, but 'sudo' is better
designed and more secure in the situations that you would find most
OS X computers set up for. 'sudoers' does its job properly under OS
X (or, at least, it did in the last version I examined).
I normally recommend that OS X people never use 'su'. You can use
'sudo' for single instructions, 'sudo -s' for entire sessions with
different privs, and 'sudo -u' for non-root. All three are more
secure, for a normal setup, than the equivalent 'su' would be.
Certain documentation from Apple's Knowledge Base instructs people to
use 'su' for specific tasks. I feel that this is not the best advice
and would like to see it changed.
Sorry, that turned into a rant. Anyway: try using 'sudo' instead of
'su' unless it's useless for your task.
Simon
--
Simon Slavin Fylde Building Room C11
Computing Development Officer 01524 65201 x 93569
Psychology Department
University of Lancaster
