PAM_ERROR_MSG and PAM_TEXT_INFO from modules

Ethan Benson erbenson at
Mon Jan 12 20:43:17 EST 2004


I have tested the current snapshot portable release (dated Jan 9

configuration has:
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePrivilegeSeparation yes

two problems:

first pam_motd does not work anymore.

second, I needed a quick way to disable normal user logins without
disabling admin accounts (members of group wheel).  the best option i
could come up with is to write a new pam module similar to
pam_nologin, mine is pam_noulogin.  It works as both as an auth, and
account module. It checks for /etc/noulogin and denies everyone except
root and members of group wheel access when it exists, printing the
contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation

so that this would work with both pubkey and password auth I
configured the module as a requisite account module, this works, ssh
denies access when it should, but it does not print the contents of
/etc/noulogin.  that is a problem since to the users it looks like ssh
is malfunctioning and they bug me about why, if the noulogin file were
printed properly they would get the proper explanation.

if i make the module `optional' then the message is printed correctly,
but obviously access isn't denied anymore.  this is still curious since
pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO
message via the same conversation mechanism.

here is the pam config ive tested with:


auth       requisite
auth       required item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed
auth       required
auth       required # [1]
auth	   required
account    requisite
account    required
session    required
session    required
session    optional # [1]
session    optional standard # [1]
password   required retry=3 minlen=8 difok=3
password   required use_authtok nullok md5

system is Debian 3.0

source to my pam_noulogin module is at

this module has also been tested with plain login, and works just as
it should.  source is available at so that this may
be tested by others.

as an unrelated sidenote i tested password expiration and it seems to
work properly, it looks like the pam issues are finally getting worked
out, which is good news.

I am not subscribed to this list, so CC'ing replies is requested. thanks

Ethan Benson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : 

More information about the openssh-unix-dev mailing list