💡 このチュートリアルは英語版からAIによって翻訳されています。原文を確認するには、 ここをクリックしてください
The "su" (substitute user) command in Linux is a powerful tool that allows users to temporarily switch to a different user account, often the root user, to perform administrative tasks. However, su authentication failures can occur, leading to access denials and potential security risks. This tutorial will guide you through the process of troubleshooting su authentication failures on Linux, covering common causes, configuration settings, and best practices for secure su usage.
The su command in Linux allows users to switch their current user identity to another user. This is particularly useful for performing administrative tasks that require elevated privileges.
Let us explore the basic usage of the su command and understand how it works.
Open a terminal in your LabEx VM environment. You can use the su command with the following syntax:
su [options] [username]If you run su without specifying a username, it defaults to the root user:
suYou will be prompted for the root password. However, in many modern Linux distributions including Ubuntu, the root account is disabled by default for security reasons.
Let us create a test user to practice with:
sudo adduser testuserEnter the required information when prompted. For simplicity, you can use "password" as the password for this test user.
Now, let us try to switch to this user:
su testuserWhen prompted, enter the password you created for testuser. Once authenticated, your prompt will change, indicating you are now operating as testuser.
To verify that you have successfully switched users, run:
whoamiThe output should show:
testuserTo return to your original user, simply type:
exitThe su command supports several options. The most common is the - (hyphen) option, which provides a full login environment:
su - testuserThis not only switches the user identity but also:
Try this command and observe the differences:
pwdThe output should show the home directory of testuser:
/home/testuserExit from testuser by typing:
exitThis basic understanding of the su command will help us troubleshoot authentication failures in the next steps.
When using the su command, you might encounter authentication failures for various reasons. Understanding these failures is the first step toward resolving them.
Let us intentionally create some authentication failures to better understand them:
su testuserEnter an incorrect password. You will see an error message similar to:
su: Authentication failuresu nonexistentuserYou will see an error message like:
su: user nonexistentuser does not existThe most common cause of authentication failure is simply entering the wrong password. This can happen due to:
Some accounts might be configured to prevent login or have expired passwords:
Let us modify our test user to demonstrate this:
sudo passwd -l testuserThis locks the password for testuser. Now try:
su testuserYou will see an authentication failure even if you enter the correct password.
Unlock the account with:
sudo passwd -u testuserThe Pluggable Authentication Modules (PAM) system controls authentication in Linux. Issues with PAM configuration can cause su failures.
Let us examine the PAM configuration for the su command:
cat /etc/pam.d/suThis file contains the PAM configuration specific to the su command. Look for lines that might restrict access, such as:
auth required pam_wheel.soThis line, if uncommented, would restrict su access to members of the wheel group.
The su command's binary file must have the correct permissions to function properly:
ls -l $(which su)The output should show something like:
-rwsr-xr-x 1 root root 71816 Apr 18 2022 /usr/bin/suThe s in the permissions indicates that the setuid bit is set, allowing the program to run with the privileges of its owner (root) rather than the user who runs it.
When troubleshooting authentication failures, checking the system logs can provide valuable information:
sudo tail /var/log/auth.logThis command displays recent authentication events, including failed su attempts.
For example, a failed su attempt might show an entry like:
May 10 14:23:45 ubuntu su[12345]: FAILED su for root by labexUnderstanding these common causes of su authentication failures will help you identify and resolve issues more effectively in the next steps.
Linux provides several mechanisms to control who can use the su command. In this step, we will explore how to configure these access controls to enhance security.
The Pluggable Authentication Modules (PAM) system is responsible for authentication in Linux. The configuration for the su command is stored in the /etc/pam.d/su file.
Let us examine this file in detail:
cat /etc/pam.d/suThe file contains various directives that control how authentication is performed. One important line to look for is:
auth required pam_wheel.soIf this line is uncommented (not starting with #), it restricts su access to members of the wheel group.
We can restrict the use of su to switch to root to members of a specific group. This is a common security practice.
First, let us create a new group called sugroup:
sudo groupadd sugroupNext, add our test user to this group:
sudo usermod -aG sugroup testuserNow, we need to modify the PAM configuration to restrict su access to members of this group:
sudo cp /etc/pam.d/su /etc/pam.d/su.bakNow, open the PAM configuration file in the nano editor:
sudo nano /etc/pam.d/suLook for a line similar to:
## auth required pam_wheel.soUncomment this line (remove the ## at the beginning) and modify it to use our sugroup instead of wheel:
auth required pam_wheel.so group=sugroupPress Ctrl+O to save the file, then Ctrl+X to exit nano.
Let us test our configuration by attempting to use su as a user who is not in the sugroup.
First, create another test user:
sudo adduser testuser2Enter the required information when prompted.
Now, try to switch to the root user using testuser2:
su - testuser2Enter the password for testuser2 when prompted.
Now try to switch to the root user:
su -You should receive an authentication failure message, even if you enter the correct root password. This is because testuser2 is not a member of the sugroup.
Now switch back to your original user:
exitAnd try using su with testuser, who is a member of the sugroup:
su - testuserEnter the password for testuser when prompted.
Now try to switch to the root user:
su -If you enter the correct root password, you should be able to switch to the root user successfully.
For the purposes of completing the rest of this lab, let us revert our changes to the PAM configuration:
sudo cp /etc/pam.d/su.bak /etc/pam.d/suThis configuration allows you to control who can use the su command to switch to the root user, enhancing the security of your system.
Now that we understand common causes of su authentication failures and how to configure access control, let us focus on troubleshooting and resolving these failures.
When you encounter an su authentication failure, follow these systematic steps to diagnose the issue:
The error message can provide valuable clues about the nature of the failure. Common error messages include:
su: Authentication failure - Typically indicates an incorrect password.su: user username does not exist - The specified user account does not exist.su: permission denied - Access control restrictions are preventing the operation.Ensure that the target user account exists and is not locked:
grep testuser /etc/passwdThis should display the entry for testuser in the password file, confirming the account exists.
Check if the account is locked:
sudo passwd -S testuserThe output includes the status of the account. If it says "L" (locked), the account is locked.
As we learned in the previous step, PAM configuration can restrict su access. Check for such restrictions:
grep -v "^#" /etc/pam.d/su | grep pam_wheelIf this returns a line containing pam_wheel.so, access to su might be restricted to members of a specific group.
The system logs can provide detailed information about authentication failures:
sudo tail -n 20 /var/log/auth.logLook for entries related to su failures, which can provide additional context.
Now, let us address common su authentication failures and how to resolve them:
If you are entering the correct password but still getting authentication failures, the password might need to be reset:
sudo passwd testuserEnter a new password for testuser when prompted.
If the account is locked, unlock it:
sudo passwd -u testuserIf access control restrictions are preventing su access, you can either:
a. Add the user to the required group:
sudo usermod -aG sugroup testuser2This adds testuser2 to the sugroup.
b. Temporarily disable the restriction by commenting out the relevant line in the PAM configuration:
sudo sed -i 's/^auth\s\+required\s\+pam_wheel.so/#&/' /etc/pam.d/suThis command comments out the line containing pam_wheel.so in the su PAM configuration.
If the su binary has incorrect permissions, fix them:
sudo chmod u+s $(which su)This ensures that the setuid bit is set on the su binary.
After applying the fixes, test if su authentication works correctly:
su - testuserEnter the password for testuser when prompted. If successful, you should now be logged in as testuser.
Try switching to the root user:
su -If you have the root password and access control restrictions have been properly addressed, you should be able to switch to the root user successfully.
These troubleshooting steps and fixes address the most common su authentication failures. By systematically diagnosing and resolving these issues, you can ensure that the su command functions correctly on your system.
In this final step, we will explore best practices for using the su command securely. Following these practices helps minimize security risks while still enabling administrative tasks to be performed effectively.
The sudo command is generally considered more secure than su because:
Example of using sudo instead of su:
## Instead of:
su -
## Then entering commands as root
## Use:
sudo commandTry this example:
sudo ls /rootThis executes the ls command with root privileges without switching to the root user.
Ensure that sudo is configured correctly to grant only necessary privileges:
sudo visudoThis opens the sudoers file in a safe editor. The file should contain entries similar to:
## User privilege specification
root ALL=(ALL:ALL) ALL
## Members of the sudo group may gain root privileges
%sudo ALL=(ALL:ALL) ALLPress Ctrl+X to exit without making changes.
Discourage direct login as root, especially via SSH. Instead, users should log in with their regular accounts and use su or sudo when necessary.
Check if direct root login via SSH is disabled:
grep "PermitRootLogin" /etc/ssh/sshd_configIf this returns PermitRootLogin no, direct root login is properly disabled.
Ensure that the root password and passwords of users with su access are strong:
sudo apt-get install -y libpam-pwqualityThis installs a PAM module for password quality checking.
Configure password policies by editing the PAM configuration:
sudo nano /etc/pam.d/common-passwordLook for a line containing pam_pwquality.so and ensure it has appropriate parameters like:
password requisite pam_pwquality.so retry=3 minlen=12 difok=3Press Ctrl+X to exit without making changes, as we are just examining the configuration.
Review logs to monitor su usage:
sudo grep "su:" /var/log/auth.log | tail -n 10This shows recent su attempts, both successful and failed.
Consider setting up automated alerts for multiple failed su attempts, which could indicate an attack.
When using su to switch to another user, especially root, use the dash (-) option to get a clean environment:
su - usernameThis provides a login shell with the target user's environment variables, which is more secure and prevents potential issues caused by inheriting the original user's environment.
Let us practice these best practices:
su - to become root and then running a command, use sudo:## Instead of:
## su -
## cat /etc/shadow
## Use:
sudo cat /etc/shadowsu - testuserexitsudo grep "su:" /var/log/auth.log | tail -n 5By following these best practices, you can use the su command securely while minimizing potential security risks to your system.
In this lab, we explored the su command in Linux and learned how to troubleshoot common authentication failures. We covered:
su command and how it workssu command to enhance securityBy applying these techniques and best practices, you can ensure that the su command functions correctly while maintaining the security of your Linux system. Remember that proper authentication management is a crucial aspect of system administration and security.
