Red Hat Bugzilla – Full Text Bug Listing
|Summary:||openssh not honoring pam_nologin with RSA authentication|
|Product:||[Fedora] Fedora||Reporter:||Ryan W. Maple <ryan>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED RAWHIDE||QA Contact:|
|Fixed In Version:||openssh-4.1p1-2||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-06-09 17:46:12 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Ryan W. Maple 2001-09-27 12:30:14 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.74 [en] (X11; U; Linux 2.4.9-ac7 i686; Nav) Description of problem: Right now the pam_login module is set as "auth" in /etc/pam.d/sshd. This means it will only be called at auth1.c:258 (auth_pam_password()). Further down (auth1.c:330), sshd does do_pam_account(). So when a user SSH's into the machine using PasswordAuthentication, pam_nologin will be enforced. When a user is doing RSAAuthentication (or any other type for that matter) it is not. I feel that the pam_nologin check should be done in "account" so this restriction is always enforced. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. touch /etc/nologin 2. Attempt to SSH in using PasswordAuth 3. Attempt SSH in using RSAAuth Actual Results: Denied in #2, allowed in #3. Expected Results: You should have been denied both times. Additional info: I will attach a diff to this bug report.
Comment 1 Ryan W. Maple 2001-09-27 12:31:03 EDT
Created attachment 32778 [details] This patch moves pam_nologin from "auth" to "account"
Comment 2 Nalin Dahyabhai 2002-03-07 15:47:06 EST
This patch requires a specific version of PAM in order to work properly, as pam_nologin hasn't always provided an account management function. Because it's desirable to use one source packages for all of our supported releases, I'm going to have to think about this one.
Comment 3 Aleksey Nogin 2004-03-11 03:53:15 EST
I believe that comment #2 no longer applies, so this bug is overdue for reevaluation. P.S. See also bug 64293.
Comment 4 Tomas Mraz 2005-02-07 05:35:07 EST
Moving pam_nologin to account means that the response for password based auth will be different when you type the password right and when you type a bad one. There won't be any delay in case you type it right. If you put it in both sections, you will get it dumped twice on terminal in case of root login. The question is which behaviour is 'the least broken one'.
Comment 5 Tomas Mraz 2005-06-09 17:46:12 EDT
Fixed in FC devel. pam_nologin was moved to account phase. Also the /etc/nologin processing done directly by openssh was disabled if UsePAM is yes (the default).