182337 – openssh should not use redundant pam_nologin

Bug 182337 - openssh should not use redundant pam_nologin

Summary: openssh should not use redundant pam_nologin

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-02-21 21:55 UTC by Brad Smith
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-02-21 22:23:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Brad Smith 2006-02-21 21:55:07 UTC

sshd honors /etc/nologin without any assistance from PAM and yet /etc/pam.d/sshd
includes pam_nologin. This is problematic for two reasons:

1) Users may assume that removing pam_nologin from pam.d/sshd will cause sshd to
ignore /etc/nologin, but this is not the case.

2) When a login is stopped via pam_nologin, sshd fails to print the contents of
/etc/nologin. If pam_nologin is removed from /etc/pam.d/sshd then the contents
of /etc/nologin are printed as expected.

Comment 1 Tomas Mraz 2006-02-21 22:23:27 UTC

This problem is solved in current OpenSSH package in FC5 development. But it is
solved the other way around - the internal sshd processing of /etc/nologin is
not used when UsePAM is set to 'yes'. The problem 2) is solved by moving
pam_nologin.so to account phase but I'm not sure that with the version of
openssh in RHEL4 it would help.

I don't think this problem is serious enough to need fixing in RHEL4 openssh.
Customers can easily fix this problem by removing pam_nologin from
/etc/pam.d/sshd themselves.

Note You need to log in before you can comment on or make changes to this bug.