PAM auth with disabled user

Paul Moore paul.moore at
Fri Jan 13 06:45:27 EST 2006

Our test was with 4.1p1

I see that you display a message (if set). But then you proceed to
repromt even though the pam module returned a disabled error code.

I guess you are saying that the PAM module must tell the user they are

-----Original Message-----
From: Darren Tucker [mailto:dtucker at] 
Sent: Wednesday, January 11, 2006 1:12 AM
To: Paul Moore
Cc: openssh-unix-dev at
Subject: Re: PAM auth with disabled user

On Tue, Jan 10, 2006 at 01:50:52PM -0800, Paul Moore wrote:
> Is it intentional that password auth using PAM continues trying to log

> on (giving password 3 prompts) in the case that a user is disabled (so

> that pam_account returns an error code).
> It can be argued both ways (saying 'you are disabled' is giving out 
> too much information, making it look like you are entering the wrong 
> password confuses and frustrates the user)

Which version are you looking at?  The last couple of versions will send
the output from PAM to the client under most conditions, and there are a
couple of fixes in the current development version that should fix the
remaining cases (those will be in the next release).

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list