PAM_ERROR_MSG and PAM_TEXT_INFO from modules

Ethan Benson erbenson at alaska.net
Mon Jan 12 20:43:17 EST 2004 

Hi,

I have tested the current snapshot portable release (dated Jan 9
2004).

configuration has:
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePrivilegeSeparation yes

two problems:

first pam_motd does not work anymore.

second, I needed a quick way to disable normal user logins without
disabling admin accounts (members of group wheel).  the best option i
could come up with is to write a new pam module similar to
pam_nologin, mine is pam_noulogin.  It works as both as an auth, and
account module. It checks for /etc/noulogin and denies everyone except
root and members of group wheel access when it exists, printing the
contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation
mechanism.

so that this would work with both pubkey and password auth I
configured the module as a requisite account module, this works, ssh
denies access when it should, but it does not print the contents of
/etc/noulogin.  that is a problem since to the users it looks like ssh
is malfunctioning and they bug me about why, if the noulogin file were
printed properly they would get the proper explanation.

if i make the module `optional' then the message is printed correctly,
but obviously access isn't denied anymore.  this is still curious since
pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO
message via the same conversation mechanism.

here is the pam config ive tested with:

#%PAM-1.0

auth       requisite	pam_noulogin.so
auth       required	pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed
auth       required     pam_unix.so
auth       required     pam_env.so # [1]
auth	   required	pam_shells.so
account    requisite	pam_noulogin.so
account    required	pam_unix.so
session    required	pam_unix.so
session    required     pam_limits.so
session    optional	pam_motd.so # [1]
session    optional	pam_mail.so standard # [1]
password   required	pam_cracklib.so retry=3 minlen=8 difok=3
password   required	pam_unix.so use_authtok nullok md5

system is Debian 3.0

source to my pam_noulogin module is at
penguinppc.org/~eb/pam-noulogin/

this module has also been tested with plain login, and works just as
it should.  source is available at
http://penguinppc.org/~eb/files/pam-noulogin.tar.gz so that this may
be tested by others.

as an unrelated sidenote i tested password expiration and it seems to
work properly, it looks like the pam issues are finally getting worked
out, which is good news.

I am not subscribed to this list, so CC'ing replies is requested. thanks

-- 
Ethan Benson
http://www.alaska.net/~erbenson/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040112/dc292223/attachment.bin

More information about the openssh-unix-dev mailing list