/etc/nologin and Solaris PAM bug

[Darren Moffat]

First one nit, there is no Bug in Solaris with respect to nologin, just
a different mechanism to what you get under the distributions of
Linux that have PAM support and ship a pam_nologin. On Solaris /etc/nologin
is checked directly by /bin/login and dtlogin.

>Now that seems like it's probably the right way to handle /etc/nologin

I would agree that using PAM to check nologin is a better method, but not
doing so is not a bug in Solaris.

>under PAM authenticated linux systems, however there's one problem: Sun
>doesn't ship SunOS with a pam_nologin.so module.  pam_unix.so authenticates
>the user, and since openssh is told not to look for /etc/nologin, it lets
>the user log in.

This was exactly the rational for not having PAM be enabled by default.

>I could fix this by having sshd use /bin/login, but I'd really rather not.
>I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM */" lines and
>it worked fine.  I'm not suggesting that as the fix for the bug, but it
>certainly works.  

The problem here is there is a large (an IMO increasing) overlap between
stuff being done inside sshd and stuff that really should be done by PAM
on systems that have it - eg the group access stuff is perfect for a PAM
module.

Problem here is that while the PAM framework is (almost) the same on
all platforms the available modules is very different.  This makes it
very difficult to choose what to compile directly into the sshd program
and what to expect PAM to beable to check.

As for the particular case of nologin then I am fully aware of it and
hope to have a PAM module will do this check in some future release of
Solaris. (The code is written it is proccess and testing that needs done,
not this is not an Engineering comittment to actuall provide this, just
a heads up that we are aware of it and could do it if we get approval).

>Besides, I can't see the harm in having sshd check /etc/nologin even if
>there is a pam_nologin module that's supposed to check for it.  I'd view
>it as an extra guarantee that /etc/nologin really means no logins even if
>some script kiddie or incompetent admin has been playing around with the
>system's PAM configuration.

I would treat this in a similar way to /etc/motd, ie add an sshd_config
file option for it so that the server can be set to check it for systems
that don't do it in PAM and set not to for those that do.  It then reduces
the problem to a default config issue for distribution builders.  This is
better than SSHD always checking it even if PAM is going to check it again
later (Race conditions, slightly differing symantics etc etc), otherwise
you will get someone complaining that it checks it twice and it is slowing
down their login (believe me I've had reports like this from customers
before for telnet!).

--
Darren J Moffat