Red Hat Bugzilla – Bug 54108
openssh not honoring pam_nologin with RSA authentication
Last modified: 2007-11-30 17:10:30 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.74 [en] (X11; U; Linux 2.4.9-ac7 i686; Nav)
Description of problem:
Right now the pam_login module is set as "auth" in /etc/pam.d/sshd. This
means it will only be called at auth1.c:258 (auth_pam_password()). Further
down (auth1.c:330), sshd does do_pam_account().
So when a user SSH's into the machine using PasswordAuthentication,
pam_nologin will be enforced. When a user is doing RSAAuthentication (or
any other type for that matter) it is not. I feel that the pam_nologin
should be done in "account" so this restriction is always enforced.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. touch /etc/nologin
2. Attempt to SSH in using PasswordAuth
3. Attempt SSH in using RSAAuth
Actual Results: Denied in #2, allowed in #3.
Expected Results: You should have been denied both times.
I will attach a diff to this bug report.
Created attachment 32778 [details]
This patch moves pam_nologin from "auth" to "account"
This patch requires a specific version of PAM in order to work properly, as
pam_nologin hasn't always provided an account management function. Because it's
desirable to use one source packages for all of our supported releases, I'm
going to have to think about this one.
I believe that comment #2 no longer applies, so this bug is overdue
P.S. See also bug 64293.
Moving pam_nologin to account means that the response for password based auth
will be different when you type the password right and when you type a bad one.
There won't be any delay in case you type it right.
If you put it in both sections, you will get it dumped twice on terminal in case
of root login.
The question is which behaviour is 'the least broken one'.
Fixed in FC devel.
pam_nologin was moved to account phase. Also the /etc/nologin processing done
directly by openssh was disabled if UsePAM is yes (the default).