Red Hat Bugzilla – Full Text Bug Listing
|Summary:||RFE: allow an override of the /etc/nologin testing.|
|Product:||[Fedora] Fedora||Reporter:||Aleksey Nogin <aleksey>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED UPSTREAM||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-05-25 09:52:02 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||54108, 117981|
Description Aleksey Nogin 2002-05-01 16:29:22 EDT
Currently sshd tests for /etc/nologin *both* through the pam and on its own. This is very annoying - one assumes that it's possible to override the tests by modifying the /etc/pam.d/sshd, but then it turns out that the pam_nologin in /etc/pam.d/sshd is redundant and that sshd does the testing itself and there is no way to override it. In short, this RFE is for: 1) Configuration option to override the /etc/nologin testing in sshd itself (see also bug #47298). 2) Change in the default config shipped by RedHat to have the override turned on. P.S. According to bug #54108, the pam_nologin needs to be moved from auth to account in order to work properly even with the RSA authentication.
Comment 1 Dax Kelson 2004-09-17 21:41:09 EDT
I concur this should be fixed. This is not how Red Hat Linux 9 behaved and having upgraded to Fedora Core 2 from RHL9 I was bitten by this.
Comment 2 Evan McNabb 2004-09-17 22:11:51 EDT
This also appears to be a problem in RHEL 3. In my opinion there shouldn't be a toggle switch in sshd; the check should be done only in PAM.
Comment 3 Tomas Mraz 2005-02-07 05:44:49 EST
Without solving bug 54108 the nologin processing shouldn't be removed. Also note, that the contents of /etc/nologin should be dumped on client's terminal. This isn't/cannot be the case of using pam for nologin processing. Adding a new configuration option is also not good without having it in upstream portable OpenSSH first so please report it to http://bugzilla.mindrot.org/.