|
su - not working, worked after reboot
Hello,
Usually login via user, and 'su -' to root, cut and past password via ssh in terminal.
Login via user worked ok. I then typed su - and got password failure. I can't remember changing anything since about 30 minutes earlier when I su and password accepted.
auth log:
Sep time xxx sshd[18993]: Accepted publickey for xxx from X.X.X.X port xxx ssh2
Sep time xxx sshd[18993]: pam_unix(sshd:session): session opened for user xxx by (uid=0)
Sep time xxx su[19027]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root
Sep time xxx su[19027]: pam_authenticate: Authentication failure
Sep time xxx su[19027]: FAILED su for root by xxx
Sep time xxx su[19027]: - /dev/pts/0 xxx:root
Sep time xxx su[19029]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root
Sep time xxx su[19029]: pam_authenticate: Authentication failure
Sep time xxx su[19029]: FAILED su for root by xxx
Sep time xxx su[19029]: - /dev/pts/0 xxx:root
Sep time xxx su[19033]: pam_unix(su:auth): authentication failure; logname=xxx uid=1000 euid=0 tty=/dev/pts/0 ruser=xxx rhost= user=root
Sep time xxx su[19033]: pam_authenticate: Authentication failure
Attempting root login via ssh password:
Sep time xxx sshd[19038]: SSH: Server;Ltype: Version;Remote: X.X.X.X-xxx;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-3
Sep time xxx sshd[19038]: SSH: Server;Ltype: Kex;Remote: X.X.X.X-xxx;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
Sep time xxx sshd[19038]: SSH: Server;Ltype: Authname;Remote: X.X.X.X-xxx;Name: root [preauth]
Sep time xxx sshd[19038]: Postponed keyboard-interactive for root from X.X.X.X port xxx ssh2 [preauth]
Sep time xxx sshd[19040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=root
Sep time xxx sshd[19038]: error: PAM: Authentication failure for root from X.X.X.X.
Sep time xxx sshd[19038]: Postponed keyboard-interactive for root from X.X.X.X port xxx ssh2 [preauth]
Sep time xxx sshd[19041]: pam_unix(sshd:auth): conversation failed
Sep time xxx sshd[19041]: pam_unix(sshd:auth): auth could not identify password for [root]
Sep time xxx sshd[19041]: error: ssh_msg_send: write
Then, I rebooted, and I then did ssh again, and su password was accepted as normal.
------------
/etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
suauth.allow
suauth.nopass
auth required pam_wheel.so use_uid
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
------------
I also have someone nonestop hitting my port 8118 eventhough it is set to deny in firewall...blowing my kern log to 600MB and counting...
Sep 8 00:38:19 xxx kernel: [ 1580.964432] RULE 9 -- DENY IN=eth0 OUT= MAC=xxx SRC=99.58.56.225 DST=X.X.X.X LEN=380 TOS=0x00 PREC=0x00 TTL=43 ID=0 DF PROTO=UDP SPT=2643 DPT=8118 LEN=360
SRC=173.254.197.26
SRC=50.93.203.216
SRC=50.93.200.96
SRC=173.254.197.248
It is coming from numerous other ips
All the ips hitting my port 8118.
spoofed ips?
Only thing I can think of is someone changed the password, and changed it back right before or right after I rebooted? Unless I have a momentary fluck with my clipboard on the client machine?
So the question basically is, is there any reason why su would apparently stop working, and then start working again after a reboot and not changing anything?
My other question is I just noticed,"aes128-ctr", shouldn't I be using at least aes256?
Reinstall?
Thanks.
Last edited by urandom23242; 09-07-2012 at 07:50 PM.
|
