Bug 64293 - RFE: allow an override of the /etc/nologin testing.
RFE: allow an override of the /etc/nologin testing.
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On: 54108 117981
  Show dependency treegraph
Reported: 2002-05-01 16:29 EDT by Aleksey Nogin
Modified: 2016-09-28 16:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-25 09:52:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 1045 None None None Never
oVirt gerrit 64293 master MERGED image: Pass compat version. 2016-09-28 16:56 EDT

  None (edit)
Description Aleksey Nogin 2002-05-01 16:29:22 EDT
Currently sshd tests for /etc/nologin *both* through the pam and on its own.
This is very annoying - one assumes that it's possible to override the tests by
modifying the /etc/pam.d/sshd, but then it turns out that the pam_nologin in
/etc/pam.d/sshd is redundant and that sshd does the testing itself and there is
no way to override it.

In short, this RFE is for:
1) Configuration option to override the /etc/nologin testing in sshd itself (see
also bug #47298).
2) Change in the default config shipped by RedHat to have the override turned on.

P.S. According to bug #54108, the pam_nologin needs to be moved from auth to
account in order to work properly even with the RSA authentication.
Comment 1 Dax Kelson 2004-09-17 21:41:09 EDT
I concur this should be fixed. This is not how Red Hat Linux 9 behaved
and having upgraded to Fedora Core 2 from RHL9 I was bitten by this.

Comment 2 Evan McNabb 2004-09-17 22:11:51 EDT
This also appears to be a problem in RHEL 3. In my opinion there
shouldn't be a toggle switch in sshd; the check should be done only in
Comment 3 Tomas Mraz 2005-02-07 05:44:49 EST
Without solving bug 54108 the nologin processing shouldn't be removed. Also
note, that the contents of /etc/nologin should be dumped on client's terminal.
This isn't/cannot be the case of using pam for nologin processing.

Adding a new configuration option is also not good without having it in upstream
portable OpenSSH first so please report it to http://bugzilla.mindrot.org/.
Comment 4 Tomas Mraz 2005-05-25 09:52:02 EDT
OK, done that for you even with a patch.

If upstream accepts it we'll see.

Note You need to log in before you can comment on or make changes to this bug.