Bug 54108 - openssh not honoring pam_nologin with RSA authentication
openssh not honoring pam_nologin with RSA authentication
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: Patch
Depends On:
Blocks: 64293
  Show dependency treegraph
Reported: 2001-09-27 12:30 EDT by Ryan W. Maple
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: openssh-4.1p1-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-09 17:46:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
This patch moves pam_nologin from "auth" to "account" (1.27 KB, patch)
2001-09-27 12:31 EDT, Ryan W. Maple
no flags Details | Diff

  None (edit)
Description Ryan W. Maple 2001-09-27 12:30:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.74 [en] (X11; U; Linux 2.4.9-ac7 i686; Nav)

Description of problem:
Right now the pam_login module is set as "auth" in /etc/pam.d/sshd.  This
means it will only be called at auth1.c:258 (auth_pam_password()).  Further
down (auth1.c:330), sshd does do_pam_account().

So when a user SSH's into the machine using PasswordAuthentication,
pam_nologin will be enforced.  When a user is doing RSAAuthentication (or
any other type for that matter) it is not.   I feel that the pam_nologin
should be done in "account" so this restriction is always enforced.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. touch /etc/nologin
2. Attempt to SSH in using PasswordAuth
3. Attempt SSH in using RSAAuth

Actual Results:  Denied in #2, allowed in #3.

Expected Results:  You should have been denied both times.

Additional info:

I will attach a diff to this bug report.
Comment 1 Ryan W. Maple 2001-09-27 12:31:03 EDT
Created attachment 32778 [details]
This patch moves pam_nologin from "auth" to "account"
Comment 2 Nalin Dahyabhai 2002-03-07 15:47:06 EST
This patch requires a specific version of PAM in order to work properly, as
pam_nologin hasn't always provided an account management function.  Because it's
desirable to use one source packages for all of our supported releases, I'm
going to have to think about this one.
Comment 3 Aleksey Nogin 2004-03-11 03:53:15 EST
I believe that comment #2 no longer applies, so this bug is overdue
for reevaluation.

P.S. See also bug 64293.
Comment 4 Tomas Mraz 2005-02-07 05:35:07 EST
Moving pam_nologin to account means that the response for password based auth
will be different when you type the password right and when you type a bad one.
There won't be any delay in case you type it right. 

If you put it in both sections, you will get it dumped twice on terminal in case
of root login.

The question is which behaviour is 'the least broken one'.
Comment 5 Tomas Mraz 2005-06-09 17:46:12 EDT
Fixed in FC devel.
pam_nologin was moved to account phase. Also the /etc/nologin processing done
directly by openssh was disabled if UsePAM is yes (the default).

Note You need to log in before you can comment on or make changes to this bug.