From: Steve Grubb Date: Fri, 8 Apr 2005 16:24:11 -0400 (22:24 CEST) I found a problem in login's handling of the pam session. If for some reason the pam set credential call fails, it does not close the pam session. pam open can mount drives, so calling pam close is important. Attached is a patch that fixes this. I believe all versions of util-linux are similarly affected.
Created attachment 113015 [details] bug fix patch (by Steve Grubb)
Test case: Add at begin of /etc/pam.d/system-auth: auth required pam_debug.so auth=success cred=perm_denied (this setting disable login to system!). Now try log in for example by "telnel localhost". You have to found in /var/log/messages: Sep 5 10:04:48 petra pam_tally[9480]: pam_tally: option deny=5 allowed in auth phase only Sep 5 10:04:48 petra remote(pam_unix)[9480]: session opened for user zakkr by (uid=0) Sep 5 10:04:48 petra remote(pam_unix)[9480]: session closed for user zakkr Sep 5 10:04:48 petra login[9480]: Permission denied The important line is "session closed" that missing in old version without bug fix.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-669.html