PAM_AUTH_ERR messages

Sean seanlkml at sympatico.ca
Sun May 1 19:15:43 EST 2005


On Sun, May 1, 2005 3:53 am, Darren Tucker said:
> Sean wrote:
>> On Sat, April 30, 2005 9:50 pm, Darren Tucker said:
>>>In that case, 4.0p1 already does what you want.  If the session module
>>>fails, the messages are accumulated, sent down the session and the
>>>session closed (this is how /etc/nologin works too).
>>
>> Yes you're right about the upgrade solving the problem.   And in fact
>> the
>> custom PAM module that we made was based on the original pam nologin
>> module.
>>
>> We also had to set "UsePrivilegeSeparation no", which we tweaked on
>> because of what you said in your first reply.
>
> You shouldn't need to disable privsep to see the output of the session
> modules (there's a mechanism to copy them from the monitor to where it
> can be displayed to the user).
>
> If this doesn't work with privsep=yes then I would appreciate if you
> could open a bug at bugzilla.mindrot.org and supply some information
> about the problem module (w/source if possible so I can try to reproduce
> it).
>

Will Do.


Think we've found another "bug" too.   With previous versions of openssh
we had  maxlogin limit set to 1.   However, with the new version that
doesn't work, it has to be set to 2 in order to limit people to a single
login.

It appears that with the new version of openssh, PAM is being called after
doing whatever it takes to setup a full session.  PAM sees that sessions
and says, can't add another!  Whereas with previous versions PAM saw
session count = 0 on first invocation.   (Well this is all just
speculation, however it's a fact we can't get things to work with maxlogin
= 1).

Sean





More information about the openssh-unix-dev mailing list