Bug 117981 - sshd does not print contents of /etc/nologin
sshd does not print contents of /etc/nologin
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh (Show other bugs)
i686 Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
Blocks: 64293
  Show dependency treegraph
Reported: 2004-03-10 14:04 EST by William D. Hamblen
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-09 10:45:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description William D. Hamblen 2004-03-10 14:04:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030922

Description of problem:
According to the sshd manpage, after a successful login sshd 

3.   Checks /etc/nologin; if it exists, prints contents and quits
                (unless root).

This is not what happens.  Instead ssh gives a "Permission denied"
message, exactly as if an incorrect password had been given.  It does
this even when the password is correct, so sshd is preventing logins
but not displaying the message.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create /etc/nologin on an sshd server
2. Try to login remotely as a non-root user


Actual Results:  Prompted for a password 3 times.  Each time it fails
with "Permission denied, plase try again later.", even though the
password is correct.

Expected Results:  Prompted one time for the passwd, get the contents
of /etc/nologin, no misleading "Permission denied" messages.

Additional info:
Comment 1 Tomas Mraz 2005-02-07 10:08:11 EST
If you want this behaviour - remove the pam_nologin line from the
/etc/pam.d/sshd file.
Comment 2 Tomas Mraz 2005-06-09 10:45:17 EDT
This is easily workarounded by user but it cannot be set as default in RHEL3/4.

On the other hand the current upstream openssh code prints the nologin contents
fine if the pam_nologin is moved to account stage and it is more configurable
(nologin file can be specified etc.) this way.

Note You need to log in before you can comment on or make changes to this bug.