PAM_ERROR_MSG and PAM_TEXT_INFO from modules
dtucker at zip.com.au
Mon Jan 12 21:56:08 EST 2004
Ethan Benson wrote:
> first pam_motd does not work anymore.
It worked on RH8 when I tested it. I have a Debian test box here, I'll
see if I can reproduce it.
> second, I needed a quick way to disable normal user logins without
> disabling admin accounts (members of group wheel). the best option i
> could come up with is to write a new pam module similar to
> pam_nologin, mine is pam_noulogin. It works as both as an auth, and
> account module. It checks for /etc/noulogin and denies everyone except
> root and members of group wheel access when it exists, printing the
> contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation
Can you try it as a session module? I think the error will be output in
that case because by the time the session module runs, you have a tty
attached to the session.
> so that this would work with both pubkey and password auth I
> configured the module as a requisite account module, this works, ssh
> denies access when it should, but it does not print the contents of
> /etc/noulogin. that is a problem since to the users it looks like ssh
> is malfunctioning and they bug me about why, if the noulogin file were
> printed properly they would get the proper explanation.
As a general policy, sshd will not tell a client *why* an authentication
failed, in order to deny information to an attacker. Vanilla
/etc/nologin is handled by sshd as a special case.
> if i make the module `optional' then the message is printed correctly,
> but obviously access isn't denied anymore. this is still curious since
> pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO
> message via the same conversation mechanism.
> here is the pam config ive tested with:
> auth requisite pam_noulogin.so
> auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed
> auth required pam_unix.so
> auth required pam_env.so # 
> auth required pam_shells.so
> account requisite pam_noulogin.so
> account required pam_unix.so
> session required pam_unix.so
> session required pam_limits.so
> session optional pam_motd.so # 
> session optional pam_mail.so standard # 
> password required pam_cracklib.so retry=3 minlen=8 difok=3
> password required pam_unix.so use_authtok nullok md5
> system is Debian 3.0
> as an unrelated sidenote i tested password expiration and it seems to
> work properly, it looks like the pam issues are finally getting worked
> out, which is good news.
Excellent news, thanks.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev