Bug 182337 - openssh should not use redundant pam_nologin
Summary: openssh should not use redundant pam_nologin
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssh
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-02-21 21:55 UTC by Brad Smith
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 22:23:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Brad Smith 2006-02-21 21:55:07 UTC
sshd honors /etc/nologin without any assistance from PAM and yet /etc/pam.d/sshd
includes pam_nologin. This is problematic for two reasons:

1) Users may assume that removing pam_nologin from pam.d/sshd will cause sshd to
ignore /etc/nologin, but this is not the case.

2) When a login is stopped via pam_nologin, sshd fails to print the contents of
/etc/nologin. If pam_nologin is removed from /etc/pam.d/sshd then the contents
of /etc/nologin are printed as expected.

Comment 1 Tomas Mraz 2006-02-21 22:23:27 UTC
This problem is solved in current OpenSSH package in FC5 development. But it is
solved the other way around - the internal sshd processing of /etc/nologin is
not used when UsePAM is set to 'yes'. The problem 2) is solved by moving
pam_nologin.so to account phase but I'm not sure that with the version of
openssh in RHEL4 it would help.

I don't think this problem is serious enough to need fixing in RHEL4 openssh.
Customers can easily fix this problem by removing pam_nologin from
/etc/pam.d/sshd themselves.



Note You need to log in before you can comment on or make changes to this bug.