PAM_AUTH_ERR messages

Darren Tucker dtucker at
Sun May 1 17:53:37 EST 2005

Sean wrote:
> On Sat, April 30, 2005 9:50 pm, Darren Tucker said:
>>In that case, 4.0p1 already does what you want.  If the session module
>>fails, the messages are accumulated, sent down the session and the
>>session closed (this is how /etc/nologin works too).
> Yes you're right about the upgrade solving the problem.   And in fact the
> custom PAM module that we made was based on the original pam nologin
> module.
> We also had to set "UsePrivilegeSeparation no", which we tweaked on
> because of what you said in your first reply.

You shouldn't need to disable privsep to see the output of the session 
modules (there's a mechanism to copy them from the monitor to where it 
can be displayed to the user).

If this doesn't work with privsep=yes then I would appreciate if you 
could open a bug at and supply some information 
about the problem module (w/source if possible so I can try to reproduce 

> So for our RHEL 4 server, we had to write a custom PAM module and do a
> non-standard openssh upgrade, just so users can know why they've been
> denied login.  Pretty bad really, but your help made it easier to get
> through,  thanks.

It usually takes a while for new versions of upstream software including 
OpenSSH to filter down to vendor distributions but that's entirely out 
of our control.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list