/etc/nologin and Solaris PAM bug
David Ressman
davidr at oddjob.uchicago.edu
Sun Jan 21 07:38:33 EST 2001
My apologies if this has already been discussed. I looked through the
mailing list archives and couldn't see any mention of this problem. I
compiled and installed openssh-2.3.0p1 on a sparc running SunOS 5.7, and
while I was testing it to make sure everything was working properly, I
noticed that when I used PAM to authenticate, rather than /bin/login, sshd
was not honoring /etc/nologin.
I took a real quick look through the source code and found this at line
1022 of session.c:
#ifndef USE_PAM /* pam_nologin handles this */
if (!options.use_login) {
Now that seems like it's probably the right way to handle /etc/nologin
under PAM authenticated linux systems, however there's one problem: Sun
doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates
the user, and since openssh is told not to look for /etc/nologin, it lets
the user log in.
I could fix this by having sshd use /bin/login, but I'd really rather not.
I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM */" lines and
it worked fine. I'm not suggesting that as the fix for the bug, but it
certainly works.
Besides, I can't see the harm in having sshd check /etc/nologin even if
there is a pam_nologin module that's supposed to check for it. I'd view
it as an extra guarantee that /etc/nologin really means no logins even if
some script kiddie or incompetent admin has been playing around with the
system's PAM configuration.
Thanks for your time,
David Ressman
P.S. Here's the patch I used to fix the problem:
*** session.c.orig Sat Jan 20 14:09:42 2001
--- session.c Sat Jan 20 14:10:02 2001
***************
*** 1019,1025 ****
if (options.use_login && command != NULL)
options.use_login = 0;
- #ifndef USE_PAM /* pam_nologin handles this */
if (!options.use_login) {
# ifdef HAVE_LOGIN_CAP
if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
--- 1019,1024 ----
***************
*** 1037,1043 ****
exit(254);
}
}
- #endif /* USE_PAM */
/* Set login name, uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
--- 1036,1041 ----
More information about the openssh-unix-dev
mailing list