PAM_AUTH_ERR messages
Darren Tucker
dtucker at zip.com.au
Sun May 1 17:53:37 EST 2005
Sean wrote:
> On Sat, April 30, 2005 9:50 pm, Darren Tucker said:
>>In that case, 4.0p1 already does what you want. If the session module
>>fails, the messages are accumulated, sent down the session and the
>>session closed (this is how /etc/nologin works too).
>
> Yes you're right about the upgrade solving the problem. And in fact the
> custom PAM module that we made was based on the original pam nologin
> module.
>
> We also had to set "UsePrivilegeSeparation no", which we tweaked on
> because of what you said in your first reply.
You shouldn't need to disable privsep to see the output of the session
modules (there's a mechanism to copy them from the monitor to where it
can be displayed to the user).
If this doesn't work with privsep=yes then I would appreciate if you
could open a bug at bugzilla.mindrot.org and supply some information
about the problem module (w/source if possible so I can try to reproduce
it).
> So for our RHEL 4 server, we had to write a custom PAM module and do a
> non-standard openssh upgrade, just so users can know why they've been
> denied login. Pretty bad really, but your help made it easier to get
> through, thanks.
It usually takes a while for new versions of upstream software including
OpenSSH to filter down to vendor distributions but that's entirely out
of our control.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list