Red Hat Bugzilla – Bug 182337
openssh should not use redundant pam_nologin
Last modified: 2007-11-30 17:07:23 EST
sshd honors /etc/nologin without any assistance from PAM and yet /etc/pam.d/sshd
includes pam_nologin. This is problematic for two reasons:
1) Users may assume that removing pam_nologin from pam.d/sshd will cause sshd to
ignore /etc/nologin, but this is not the case.
2) When a login is stopped via pam_nologin, sshd fails to print the contents of
/etc/nologin. If pam_nologin is removed from /etc/pam.d/sshd then the contents
of /etc/nologin are printed as expected.
This problem is solved in current OpenSSH package in FC5 development. But it is
solved the other way around - the internal sshd processing of /etc/nologin is
not used when UsePAM is set to 'yes'. The problem 2) is solved by moving
pam_nologin.so to account phase but I'm not sure that with the version of
openssh in RHEL4 it would help.
I don't think this problem is serious enough to need fixing in RHEL4 openssh.
Customers can easily fix this problem by removing pam_nologin from