Bug 54108 - openssh not honoring pam_nologin with RSA authentication
Summary: openssh not honoring pam_nologin with RSA authentication
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Keywords: Patch
Depends On:
Blocks: 64293
TreeView+ depends on / blocked
 
Reported: 2001-09-27 16:30 UTC by Ryan W. Maple
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version: openssh-4.1p1-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-09 21:46:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch moves pam_nologin from "auth" to "account" (1.27 KB, patch)
2001-09-27 16:31 UTC, Ryan W. Maple
no flags Details | Diff

Description Ryan W. Maple 2001-09-27 16:30:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.74 [en] (X11; U; Linux 2.4.9-ac7 i686; Nav)

Description of problem:
Right now the pam_login module is set as "auth" in /etc/pam.d/sshd.  This
means it will only be called at auth1.c:258 (auth_pam_password()).  Further
down (auth1.c:330), sshd does do_pam_account().

So when a user SSH's into the machine using PasswordAuthentication,
pam_nologin will be enforced.  When a user is doing RSAAuthentication (or
any other type for that matter) it is not.   I feel that the pam_nologin
check 
should be done in "account" so this restriction is always enforced.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. touch /etc/nologin
2. Attempt to SSH in using PasswordAuth
3. Attempt SSH in using RSAAuth
	

Actual Results:  Denied in #2, allowed in #3.

Expected Results:  You should have been denied both times.

Additional info:

I will attach a diff to this bug report.

Comment 1 Ryan W. Maple 2001-09-27 16:31:03 UTC
Created attachment 32778 [details]
This patch moves pam_nologin from "auth" to "account"

Comment 2 Nalin Dahyabhai 2002-03-07 20:47:06 UTC
This patch requires a specific version of PAM in order to work properly, as
pam_nologin hasn't always provided an account management function.  Because it's
desirable to use one source packages for all of our supported releases, I'm
going to have to think about this one.

Comment 3 Aleksey Nogin 2004-03-11 08:53:15 UTC
I believe that comment #2 no longer applies, so this bug is overdue
for reevaluation.

P.S. See also bug 64293.

Comment 4 Tomas Mraz 2005-02-07 10:35:07 UTC
Moving pam_nologin to account means that the response for password based auth
will be different when you type the password right and when you type a bad one.
There won't be any delay in case you type it right. 

If you put it in both sections, you will get it dumped twice on terminal in case
of root login.

The question is which behaviour is 'the least broken one'.


Comment 5 Tomas Mraz 2005-06-09 21:46:12 UTC
Fixed in FC devel.
pam_nologin was moved to account phase. Also the /etc/nologin processing done
directly by openssh was disabled if UsePAM is yes (the default).



Note You need to log in before you can comment on or make changes to this bug.