Bug 54108

Summary: openssh not honoring pam_nologin with RSA authentication
Product: [Fedora] Fedora Reporter: Ryan W. Maple <ryan>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: aleksey
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.1p1-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-09 17:46:12 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 64293    
Attachments:
Description Flags
This patch moves pam_nologin from "auth" to "account" none

Description Ryan W. Maple 2001-09-27 12:30:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.74 [en] (X11; U; Linux 2.4.9-ac7 i686; Nav)

Description of problem:
Right now the pam_login module is set as "auth" in /etc/pam.d/sshd.  This
means it will only be called at auth1.c:258 (auth_pam_password()).  Further
down (auth1.c:330), sshd does do_pam_account().

So when a user SSH's into the machine using PasswordAuthentication,
pam_nologin will be enforced.  When a user is doing RSAAuthentication (or
any other type for that matter) it is not.   I feel that the pam_nologin
check 
should be done in "account" so this restriction is always enforced.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. touch /etc/nologin
2. Attempt to SSH in using PasswordAuth
3. Attempt SSH in using RSAAuth
	

Actual Results:  Denied in #2, allowed in #3.

Expected Results:  You should have been denied both times.

Additional info:

I will attach a diff to this bug report.
Comment 1 Ryan W. Maple 2001-09-27 12:31:03 EDT
Created attachment 32778 [details]
This patch moves pam_nologin from "auth" to "account"
Comment 2 Nalin Dahyabhai 2002-03-07 15:47:06 EST
This patch requires a specific version of PAM in order to work properly, as
pam_nologin hasn't always provided an account management function.  Because it's
desirable to use one source packages for all of our supported releases, I'm
going to have to think about this one.
Comment 3 Aleksey Nogin 2004-03-11 03:53:15 EST
I believe that comment #2 no longer applies, so this bug is overdue
for reevaluation.

P.S. See also bug 64293.
Comment 4 Tomas Mraz 2005-02-07 05:35:07 EST
Moving pam_nologin to account means that the response for password based auth
will be different when you type the password right and when you type a bad one.
There won't be any delay in case you type it right. 

If you put it in both sections, you will get it dumped twice on terminal in case
of root login.

The question is which behaviour is 'the least broken one'.
Comment 5 Tomas Mraz 2005-06-09 17:46:12 EDT
Fixed in FC devel.
pam_nologin was moved to account phase. Also the /etc/nologin processing done
directly by openssh was disabled if UsePAM is yes (the default).