This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 182337 - openssh should not use redundant pam_nologin
openssh should not use redundant pam_nologin
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-02-21 16:55 EST by Brad Smith
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 17:23:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Brad Smith 2006-02-21 16:55:07 EST
sshd honors /etc/nologin without any assistance from PAM and yet /etc/pam.d/sshd
includes pam_nologin. This is problematic for two reasons:

1) Users may assume that removing pam_nologin from pam.d/sshd will cause sshd to
ignore /etc/nologin, but this is not the case.

2) When a login is stopped via pam_nologin, sshd fails to print the contents of
/etc/nologin. If pam_nologin is removed from /etc/pam.d/sshd then the contents
of /etc/nologin are printed as expected.
Comment 1 Tomas Mraz 2006-02-21 17:23:27 EST
This problem is solved in current OpenSSH package in FC5 development. But it is
solved the other way around - the internal sshd processing of /etc/nologin is
not used when UsePAM is set to 'yes'. The problem 2) is solved by moving to account phase but I'm not sure that with the version of
openssh in RHEL4 it would help.

I don't think this problem is serious enough to need fixing in RHEL4 openssh.
Customers can easily fix this problem by removing pam_nologin from
/etc/pam.d/sshd themselves.

Note You need to log in before you can comment on or make changes to this bug.