Bug 182337 - openssh should not use redundant pam_nologin
openssh should not use redundant pam_nologin
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-02-21 16:55 EST by Brad Smith
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 17:23:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brad Smith 2006-02-21 16:55:07 EST
sshd honors /etc/nologin without any assistance from PAM and yet /etc/pam.d/sshd
includes pam_nologin. This is problematic for two reasons:

1) Users may assume that removing pam_nologin from pam.d/sshd will cause sshd to
ignore /etc/nologin, but this is not the case.

2) When a login is stopped via pam_nologin, sshd fails to print the contents of
/etc/nologin. If pam_nologin is removed from /etc/pam.d/sshd then the contents
of /etc/nologin are printed as expected.
Comment 1 Tomas Mraz 2006-02-21 17:23:27 EST
This problem is solved in current OpenSSH package in FC5 development. But it is
solved the other way around - the internal sshd processing of /etc/nologin is
not used when UsePAM is set to 'yes'. The problem 2) is solved by moving
pam_nologin.so to account phase but I'm not sure that with the version of
openssh in RHEL4 it would help.

I don't think this problem is serious enough to need fixing in RHEL4 openssh.
Customers can easily fix this problem by removing pam_nologin from
/etc/pam.d/sshd themselves.

Note You need to log in before you can comment on or make changes to this bug.