From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020326 Description of problem: PAM provides a way for a pam module to specify that this user doesn't currently have access to the machine. However, it still allows the user to authenticate with the login program. I know that it is in some ways debatable but giving users this second chance to identify and authenticate themselves flys in the face of the intention of pam authentication. The included patch fixes this problem. What it does is makes it so that if PAM responds saying that the user is not allowed to login it will exit the rlogind process. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. create a module which returns PAM_SUCCESS to pam_sm_authenticate and PAM_PERM_DENIED to pam_sm_acct_mgmt 2. setup pam to use the module 3. make sure that the rsh is available. 4. try to login using rsh Actual Results: it prompts you for a login Expected Results: It should tell you that the access is denied. Additional info:
Created attachment 54445 [details] patch to fix rsh so that it listens to pam's responses
Sounds like a good idea, patch looks sane, will most likely include it in the next version of rsh. Thanks, Read ya, Phil
Included in rsh-0.17-17 and later. Read ya, Phil