head	1.18;
access;
symbols
	RELENG_8_4:1.18.0.2
	RELENG_9_1_0_RELEASE:1.17.2.1.4.2
	RELENG_9_1:1.17.2.1.0.4
	RELENG_9_1_BP:1.17.2.1
	RELENG_8_3_0_RELEASE:1.16.32.1.8.1
	RELENG_8_3:1.16.32.1.0.8
	RELENG_8_3_BP:1.16.32.1
	RELENG_9_0_0_RELEASE:1.17.2.1.2.1
	RELENG_9_0:1.17.2.1.0.2
	RELENG_9_0_BP:1.17.2.1
	RELENG_9:1.17.0.2
	RELENG_9_BP:1.17
	RELENG_7_4_0_RELEASE:1.16.36.1
	RELENG_8_2_0_RELEASE:1.16.32.1.6.1
	RELENG_7_4:1.16.0.36
	RELENG_7_4_BP:1.16
	RELENG_8_2:1.16.32.1.0.6
	RELENG_8_2_BP:1.16.32.1
	RELENG_8_1_0_RELEASE:1.16.32.1.4.1
	RELENG_8_1:1.16.32.1.0.4
	RELENG_8_1_BP:1.16.32.1
	RELENG_7_3_0_RELEASE:1.16.34.1
	RELENG_7_3:1.16.0.34
	RELENG_7_3_BP:1.16
	RELENG_8_0_0_RELEASE:1.16.32.1.2.1
	RELENG_8_0:1.16.32.1.0.2
	RELENG_8_0_BP:1.16.32.1
	RELENG_8:1.16.0.32
	RELENG_8_BP:1.16
	RELENG_7_2_0_RELEASE:1.16.30.1
	RELENG_7_2:1.16.0.30
	RELENG_7_2_BP:1.16
	RELENG_7_1_0_RELEASE:1.16.28.1
	RELENG_6_4_0_RELEASE:1.16.26.1
	RELENG_7_1:1.16.0.28
	RELENG_7_1_BP:1.16
	RELENG_6_4:1.16.0.26
	RELENG_6_4_BP:1.16
	RELENG_7_0_0_RELEASE:1.16
	RELENG_6_3_0_RELEASE:1.16
	RELENG_7_0:1.16.0.24
	RELENG_7_0_BP:1.16
	RELENG_6_3:1.16.0.22
	RELENG_6_3_BP:1.16
	RELENG_7:1.16.0.20
	RELENG_7_BP:1.16
	RELENG_6_2_0_RELEASE:1.16
	RELENG_6_2:1.16.0.18
	RELENG_6_2_BP:1.16
	RELENG_5_5_0_RELEASE:1.16
	RELENG_5_5:1.16.0.16
	RELENG_5_5_BP:1.16
	RELENG_6_1_0_RELEASE:1.16
	RELENG_6_1:1.16.0.14
	RELENG_6_1_BP:1.16
	RELENG_6_0_0_RELEASE:1.16
	RELENG_6_0:1.16.0.12
	RELENG_6_0_BP:1.16
	RELENG_6:1.16.0.10
	RELENG_6_BP:1.16
	RELENG_5_4_0_RELEASE:1.16
	RELENG_5_4:1.16.0.8
	RELENG_5_4_BP:1.16
	RELENG_5_3_0_RELEASE:1.16
	RELENG_5_3:1.16.0.6
	RELENG_5_3_BP:1.16
	RELENG_5:1.16.0.4
	RELENG_5_BP:1.16
	RELENG_5_2_1_RELEASE:1.16
	RELENG_5_2_0_RELEASE:1.16
	RELENG_5_2:1.16.0.2
	RELENG_5_2_BP:1.16
	RELENG_5_1_0_RELEASE:1.14
	RELENG_5_1:1.14.0.2
	RELENG_5_1_BP:1.14
	RELENG_5_0_0_RELEASE:1.9
	RELENG_5_0:1.9.0.2
	RELENG_5_0_BP:1.9;
locks; strict;
comment	@# @;


1.18
date	2012.11.17.01.49.03;	author svnexp;	state Exp;
branches
	1.18.2.1;
next	1.17;

1.17
date	2011.03.15.10.13.35;	author des;	state Exp;
branches
	1.17.2.1;
next	1.16;

1.16
date	2003.07.09.18.40.49;	author des;	state Exp;
branches
	1.16.10.1
	1.16.20.1
	1.16.26.1
	1.16.28.1
	1.16.30.1
	1.16.32.1
	1.16.34.1
	1.16.36.1;
next	1.15;

1.15
date	2003.06.14.12.35.05;	author des;	state Exp;
branches;
next	1.14;

1.14
date	2003.04.30.21.57.54;	author markm;	state Exp;
branches;
next	1.13;

1.13
date	2003.03.08.09.50.11;	author markm;	state Exp;
branches;
next	1.12;

1.12
date	2003.02.16.13.02.39;	author des;	state Exp;
branches;
next	1.11;

1.11
date	2003.02.10.00.50.03;	author des;	state Exp;
branches;
next	1.10;

1.10
date	2003.02.06.14.33.23;	author des;	state Exp;
branches;
next	1.9;

1.9
date	2002.10.18.02.39.21;	author rwatson;	state Exp;
branches;
next	1.8;

1.8
date	2002.04.18.17.40.27;	author des;	state Exp;
branches;
next	1.7;

1.7
date	2002.01.30.19.04.39;	author des;	state Exp;
branches;
next	1.6;

1.6
date	2002.01.21.18.51.24;	author des;	state Exp;
branches;
next	1.5;

1.5
date	2002.01.19.18.29.49;	author des;	state Exp;
branches;
next	1.4;

1.4
date	2002.01.19.18.03.11;	author ache;	state Exp;
branches;
next	1.3;

1.3
date	2002.01.19.10.31.32;	author ache;	state Exp;
branches;
next	1.2;

1.2
date	2001.12.05.21.26.00;	author des;	state Exp;
branches;
next	1.1;

1.1
date	2001.12.05.21.06.21;	author des;	state Exp;
branches;
next	;

1.18.2.1
date	2012.11.17.01.49.03;	author svnexp;	state dead;
branches;
next	1.18.2.2;

1.18.2.2
date	2013.03.28.13.02.42;	author svnexp;	state Exp;
branches;
next	;

1.17.2.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.17.2.1.2.1
	1.17.2.1.4.1;
next	1.17.2.2;

1.17.2.2
date	2012.11.17.11.36.11;	author svnexp;	state Exp;
branches;
next	;

1.17.2.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.17.2.1.2.2;

1.17.2.1.2.2
date	2012.11.17.08.36.11;	author svnexp;	state Exp;
branches;
next	;

1.17.2.1.4.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.17.2.1.4.2;

1.17.2.1.4.2
date	2012.11.17.08.47.00;	author svnexp;	state Exp;
branches;
next	;

1.16.10.1
date	2012.11.17.07.39.04;	author svnexp;	state Exp;
branches;
next	;

1.16.20.1
date	2012.11.17.08.01.18;	author svnexp;	state Exp;
branches;
next	;

1.16.26.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.16.28.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.16.30.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.16.32.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.16.32.1.2.1
	1.16.32.1.4.1
	1.16.32.1.6.1
	1.16.32.1.8.1;
next	1.16.32.2;

1.16.32.2
date	2012.11.17.10.35.56;	author svnexp;	state Exp;
branches;
next	;

1.16.32.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.16.32.1.4.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.16.32.1.6.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.16.32.1.8.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.16.32.1.8.2;

1.16.32.1.8.2
date	2012.11.17.08.24.38;	author svnexp;	state Exp;
branches;
next	;

1.16.34.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.16.36.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.16.36.2;

1.16.36.2
date	2012.11.17.08.16.37;	author svnexp;	state Exp;
branches;
next	;


desc
@@


1.18
log
@Switching exporter and resync
@
text
@#
# $FreeBSD: head/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#

# auth
auth		sufficient	pam_rootok.so		no_warn
auth		sufficient	pam_self.so		no_warn
auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe ruser
auth		include		system

# account
account		include		system

# session
session		required	pam_permit.so
@


1.18.2.1
log
@file su was added on branch RELENG_8_4 on 2013-03-28 13:02:42 +0000
@
text
@d1 17
@


1.18.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 17
#
# $FreeBSD: releng/8.4/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
#
# PAM configuration for the "su" service
#

# auth
auth		sufficient	pam_rootok.so		no_warn
auth		sufficient	pam_self.so		no_warn
auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
auth		include		system

# account
account		include		system

# session
session		required	pam_permit.so
@


1.17
log
@SVN rev 219663 on 2011-03-15 10:13:35Z by des

Forgot to commit this change along with r219563: pam_group(8) now issues
a warning if neither luser nor ruser is specified.  The correct option
for su(1) is ruser.

MFC after:	1 month
@
text
@d2 1
a2 1
# $FreeBSD$
@


1.17.2.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.17.2.2
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d2 1
a2 1
# $FreeBSD: stable/9/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
@


1.17.2.1.4.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.17.2.1.4.2
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: releng/9.1/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
@


1.17.2.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.17.2.1.2.2
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: releng/9.0/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
@


1.16
log
@Don't do session management in su.

PR:		misc/53293
Submitted by:	ru
@
text
@d10 1
a10 1
auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
@


1.16.20.1
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: stable/7/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
@


1.16.10.1
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: stable/6/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
@


1.16.36.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.16.36.2
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: releng/7.4/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
@


1.16.34.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.16.32.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.16.32.2
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d2 1
a2 1
# $FreeBSD: stable/8/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
@


1.16.32.1.8.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.16.32.1.8.2
log
@Switch importer
@
text
@d2 1
a2 1
# $FreeBSD: releng/8.3/etc/pam.d/su 117360 2003-07-09 18:40:49Z des $
@


1.16.32.1.6.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.16.32.1.4.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.16.32.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.16.30.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.16.28.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.16.26.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.15
log
@Add a system policy, and have the login and su policies include it rather
than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.
@
text
@d17 1
a17 1
session		include		system
@


1.14
log
@The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.
@
text
@d10 2
a11 6
auth		requisite	pam_group.so		no_warn root_only fail_safe
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass auth_as_self
#auth		required	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok
d14 1
a14 2
#account 	required	pam_krb5.so
account		required	pam_unix.so
d17 1
a17 1
#session 	optional	pam_ssh.so
@


1.13
log
@Initiate KerberosIV de-orbit burn. Disconnect the /etc configs.
@
text
@a21 1
#session 	required	pam_krb5.so
@


1.12
log
@Add the allow_local option to all pam_opieaccess entries.
@
text
@a12 1
#auth		sufficient	pam_kerberosIV.so	no_warn
a17 1
#account 	required	pam_kerberosIV.so
a21 1
#session 	required	pam_kerberosIV.so
@


1.11
log
@Major cleanup & homogenization.
@
text
@d12 1
a12 1
auth		requisite	pam_opieaccess.so	no_warn
@


1.10
log
@Use pam_group(8) instead of pam_wheel(8).
@
text
@d8 5
a12 3
auth		sufficient	pam_rootok.so	no_warn
auth		sufficient	pam_self.so	no_warn
auth		requisite	pam_group.so	no_warn root_only fail_safe
d14 3
a16 5
#auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
auth		sufficient	pam_opie.so	no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn
#auth		required	pam_ssh.so	no_warn try_first_pass
auth		required	pam_unix.so	no_warn try_first_pass nullok
d19 2
a20 2
#account	required	pam_kerberosIV.so
#account	required	pam_krb5.so
d24 3
a26 30
#session	required	pam_kerberosIV.so
#session	required	pam_krb5.so
#session	required	pam_ssh.so

# password
password	required	pam_permit.so


# If you want a "WHEELSU"-type su(1), then comment out the
# above, and uncomment the entries below.
## auth
#auth		sufficient	pam_rootok.so	no_warn
##auth		sufficient	pam_kerberosIV.so	no_warn
##auth		sufficient	pam_krb5.so	no_warn
#auth		required	pam_opie.so	no_warn auth_as_self no_fake_prompts
#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self

## account
##account	required	pam_kerberosIV.so
##account	required	pam_krb5.so
#account	required	pam_unix.so

## session
##session	required	pam_kerberosIV.so
##session	required	pam_krb5.so
##session	required	pam_ssh.so
#session	required	pam_unix.so

## password
#password	required	pam_permit.so
@


1.9
log
@Exempt the "wheel group requirement" by default when su'ing to root if
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
@
text
@d10 1
a10 1
auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok exempt_if_empty
@


1.8
log
@Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.7 2002/01/30 19:04:39 des Exp $
d10 1
a10 1
auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
@


1.7
log
@Use pam_self(8) to allow users to su(1) to themselves without authentication.

Sponsored by:	DARPA, NAI Labs
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.6 2002/01/21 18:51:24 des Exp $
a26 1
session		required	pam_unix.so
@


1.6
log
@Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it.  If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file.  The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.5 2002/01/19 18:29:49 des Exp $
d9 1
@


1.5
log
@Really back out ache's commits.  These files are now precisely as they were
twentyfour hours ago, except for RCS ids.
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.4 2002/01/19 18:03:11 ache Exp $
d12 2
a13 1
#auth		required	pam_opie.so	no_warn
a15 5
#auth		sufficient	pam_rootok.so	no_warn
##auth		sufficient	pam_kerberosIV.so	no_warn
##auth		sufficient	pam_krb5.so	no_warn
#auth		required	pam_opie.so	no_warn auth_as_self
#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self
a20 3
##account	required	pam_kerberosIV.so
##account	required	pam_krb5.so
#account	required	pam_unix.so
d27 20
d52 1
a52 2
# password
password	required	pam_permit.so
@


1.4
log
@Back out recent changes
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.3 2002/01/19 10:31:32 ache Exp $
d12 1
a13 1
#auth 		sufficient	pam_opie.so	no_warn
@


1.3
log
@Turn on pam_opie by default. It should not affect non-OPIE users.
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/su,v 1.2 2001/12/05 21:26:00 des Exp $
d13 1
a13 1
auth [default=ignore success=done cred_err=die]	pam_opie.so	no_warn
@


1.2
log
@Awright, egg on my face.  I should have taken more time with this.  The
conversion script generated the wrong format, so the configuration files
didn't actually work.  Good thing I hadn't thrown the switch yet...

Sponsored by:	DARPA, NAI Labs (but the f***ups are all mine)
@
text
@d2 1
a2 1
# $FreeBSD$
a11 1
#auth		required	pam_opie.so	no_warn
d13 1
@


1.1
log
@pam.d-style configuration, auto-generated from pam.conf.

Sponsored by:	DARPA, NAI Labs
@
text
@d8 12
a19 12
su	auth	sufficient	pam_rootok.so	no_warn
su	auth	requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
#su	auth	sufficient	pam_kerberosIV.so	no_warn
#su	auth	sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
#su	auth	required	pam_opie.so	no_warn
#su	auth	required	pam_ssh.so	no_warn try_first_pass
su	auth	required	pam_unix.so	no_warn try_first_pass nullok
#su	auth	sufficient	pam_rootok.so	no_warn
##su	auth	sufficient	pam_kerberosIV.so	no_warn
##su	auth	sufficient	pam_krb5.so	no_warn
#su	auth	required	pam_opie.so	no_warn auth_as_self
#su	auth	required	pam_unix.so	no_warn try_first_pass auth_as_self
d22 6
a27 6
#su	account	required	pam_kerberosIV.so
#su	account	required	pam_krb5.so
su	account	required	pam_unix.so
##su	account	required	pam_kerberosIV.so
##su	account	required	pam_krb5.so
#su	account	required	pam_unix.so
d30 8
a37 8
#su	session	required	pam_kerberosIV.so
#su	session	required	pam_krb5.so
#su	session	required	pam_ssh.so
su	session	required	pam_unix.so
##su	session	required	pam_kerberosIV.so
##su	session	required	pam_krb5.so
##su	session	required	pam_ssh.so
#su	session	required	pam_unix.so
d40 2
a41 2
su	password required	pam_permit.so
#su	password required	pam_permit.so
@

