PAM auth with disabled user

Darren Tucker dtucker at
Sat Jan 14 13:47:30 EST 2006

On Fri, Jan 13, 2006 at 05:47:22PM -0800, Paul Moore wrote:
> BTW it is our PAM module.
> I guess you are saying that the PAM module should have a config choice
> to say 'generate chatty failure messages'.
> We then end up with
> User: joe
> Password :xxxxxxx
> Your account is disabled please contact your system administrator
> Password: 

Ah, I see what you're referring to now.  That occurs because currently
the kbdint code does not distinguish between "authentication failed"
(which should be retryable) and "account check failed" (which shouldn't).

The non-kbdint code will terminate the connection after the
pam_acct_mgmt() fails.  The kbdint code doesn't, since it can do
pam_chauthtok() via keyboard-interactive, so it needs to learn to treat
"account check failed" differently.

If you use PasswordAuthentication instead (assuming your module can work
with it) then I think you'll get the behaviour you want (although with
4.1p1 you may see the "missing PAM messages" thing I mentioned earlier,
if you see that then try a snapshot).

> It can of course be argued that sshd should have the config choice
> 'explain rejection reasons'. Since the pam_account returns 'account
> locked' status you know what to say. The nice things about doing it that
> way is

We're not going to add another knob to sshd for this but we can fix the
kbdint thing above so it's consistent with the behaviour for the other
auth types.  It should then do what you want, right?

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list