RSA authentication bypassing /etc/nologin
Derek Becker
DerekB at amdocs.com
Wed Aug 2 04:35:33 EST 2000
Hello everyone,
I noticed recently that when I had /etc/nologin in place on my
server I couldn't log in when I authenticated via passwords, but when I used
RSA authentication I was able to log in no problem. I looked through the
source, and I think I might see where the problem is. I have a Linux system,
so sshd was compiled with PAM support. Using normal authentication, the
pam_nologin module correctly denies the login attempt (although I don't get
the contents of /etc/nologin on my terminal, but that's a different issue).
I understand that the RSA authentication can't use PAM for obvious reasons,
but the only other check for /etc/nologin is in session.c, line 818. When
PAM support is compiled in, the section that checks is essentially commented
out inside an #ifndef USE_PAM. As a straightforward fix, I could incorporate
the code contained in the #ifndef section into the auth-rsa.c file, but as
this is my first post and I haven't dealt with the source too much before,
I'm not sure where the most appropriate change would be to correctly
implement the nologin mechanism. Any suggestions, comments? I tried
searching the bug pages but I didn't see anything resembling this problem.
I'm using 2.1.1p1.
Thanks,
Derek Becker
Network Engineer
Amdocs, Inc.
1390 Timberlake Manor Pkwy
Chesterfield, MO 63017-6041
derekb at amdocs.com
314-212-7447
More information about the openssh-unix-dev
mailing list