Bug 117981 - sshd does not print contents of /etc/nologin
Summary: sshd does not print contents of /etc/nologin
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: i686
OS: Linux
medium
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 64293
TreeView+ depends on / blocked
 
Reported: 2004-03-10 19:04 UTC by William D. Hamblen
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-09 14:45:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description William D. Hamblen 2004-03-10 19:04:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922

Description of problem:
According to the sshd manpage, after a successful login sshd 

3.   Checks /etc/nologin; if it exists, prints contents and quits
                (unless root).

This is not what happens.  Instead ssh gives a "Permission denied"
message, exactly as if an incorrect password had been given.  It does
this even when the password is correct, so sshd is preventing logins
but not displaying the message.

Version-Release number of selected component (if applicable):
openssh-server-3.6.1p2-18

How reproducible:
Always

Steps to Reproduce:
1. Create /etc/nologin on an sshd server
2. Try to login remotely as a non-root user

    

Actual Results:  Prompted for a password 3 times.  Each time it fails
with "Permission denied, plase try again later.", even though the
password is correct.

Expected Results:  Prompted one time for the passwd, get the contents
of /etc/nologin, no misleading "Permission denied" messages.

Additional info:

Comment 1 Tomas Mraz 2005-02-07 15:08:11 UTC
If you want this behaviour - remove the pam_nologin line from the
/etc/pam.d/sshd file.


Comment 2 Tomas Mraz 2005-06-09 14:45:17 UTC
This is easily workarounded by user but it cannot be set as default in RHEL3/4.

On the other hand the current upstream openssh code prints the nologin contents
fine if the pam_nologin is moved to account stage and it is more configurable
(nologin file can be specified etc.) this way.



Note You need to log in before you can comment on or make changes to this bug.