PAM_ERROR_MSG and PAM_TEXT_INFO from modules

Darren Tucker dtucker at
Mon Jan 12 21:56:08 EST 2004

Ethan Benson wrote:
> first pam_motd does not work anymore.

It worked on RH8 when I tested it.  I have a Debian test box here, I'll 
see if I can reproduce it.

> second, I needed a quick way to disable normal user logins without
> disabling admin accounts (members of group wheel).  the best option i
> could come up with is to write a new pam module similar to
> pam_nologin, mine is pam_noulogin.  It works as both as an auth, and
> account module. It checks for /etc/noulogin and denies everyone except
> root and members of group wheel access when it exists, printing the
> contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation
> mechanism.

Can you try it as a session module?  I think the error will be output in 
that case because by the time the session module runs, you have a tty 
attached to the session.

> so that this would work with both pubkey and password auth I
> configured the module as a requisite account module, this works, ssh
> denies access when it should, but it does not print the contents of
> /etc/noulogin.  that is a problem since to the users it looks like ssh
> is malfunctioning and they bug me about why, if the noulogin file were
> printed properly they would get the proper explanation.

As a general policy, sshd will not tell a client *why* an authentication 
failed, in order to deny information to an attacker.  Vanilla 
/etc/nologin is handled by sshd as a special case.

> if i make the module `optional' then the message is printed correctly,
> but obviously access isn't denied anymore.  this is still curious since
> pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO
> message via the same conversation mechanism.
> here is the pam config ive tested with:
> #%PAM-1.0
> auth       requisite
> auth       required item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed
> auth       required
> auth       required # [1]
> auth	   required
> account    requisite
> account    required
> session    required
> session    required
> session    optional # [1]
> session    optional standard # [1]
> password   required retry=3 minlen=8 difok=3
> password   required use_authtok nullok md5


> system is Debian 3.0
> as an unrelated sidenote i tested password expiration and it seems to
> work properly, it looks like the pam issues are finally getting worked
> out, which is good news.

Excellent news, thanks.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list