So, in reply to all the help that I am being offered (thank you very much), I will post all the requested files.
Note that I had already taken a look at them, but for the sake of completion here we have the relevant entries:
auth.log
Code:
Jul 13 10:39:50 ceng sshd[3458]: Accepted publickey for ortiz from xxx.xxx.xxx.xxx port 38460 ssh2
Jul 14 10:00:07 ceng sshd[6179]: Accepted keyboard-interactive/pam for ortiz from xxx.xxx.xxx.xxx port 49949 ssh2
Jul 14 10:04:44 ceng su: BAD SU ortiz to root on /dev/pts/0
Jul 14 10:13:39 ceng login: login on ttyv0 as root
Jul 14 10:13:39 ceng login: ROOT LOGIN (root) ON ttyv0
/var/log/security contains no info at all but a single newsyslog related entry
login.access. This is the stock file from the distribution sets, I have performed no change on this neither.
There's, however, that "
-:wheel:ALL EXCEPT LOCAL .win.tue.nl" line that makes me wonder if it is just an example, or if it is a policy being enforced as default. If so, it seems to me that thats the show-stopper here, isnt it?
Code:
# $FreeBSD: src/etc/login.access,v 1.4.30.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# Login access control table.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character. The second field should be a list of one or more login names,
# group names, or ALL (always matches). The third field should be a list
# of one or more tty names (for non-networked logins), host names, domain
# names (begin with "."), host addresses, internet network numbers (end
# with "."), ALL (always matches) or LOCAL (matches any string that does
# not contain a "." character). If you run NIS you can use @netgroupname
# in host or user patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Only groups are matched in which users are explicitly
# listed: the program does not look at a user's primary group id value.
#
##############################################################################
#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:console
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.
rc.conf, the remaining entries belong to the networking setup (hostname, default gateway and addressing). Everything looks harmless
Code:
keymap="us.iso"
sshd_enable="YES"
pam.d directory was also untouched.
su
Code:
# $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth include system
# account
account include system
# session
session required pam_permit.so
sshd service
Code:
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
system
Code:
# $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
I will try to make a change under login.access and report back if there's any update.
Thank you very much for you kind help, really
EDIT: We just appended "+:wheel:ALL" to login.access and changed the password to an only-numeric password and now I
can su from ssh networked logins.
Right now we dont know what fixed this issue (password change or login.access entry) and have no time for it so, we will try it later today or tomorrow morning. Any input or comment is welcome!