PAM auth with disabled user

Darren Tucker dtucker at
Sat Jan 14 14:15:18 EST 2006

On Sat, Jan 14, 2006 at 01:47:30PM +1100, Darren Tucker wrote:
> We're not going to add another knob to sshd for this but we can fix the
> kbdint thing above so it's consistent with the behaviour for the other
> auth types.  It should then do what you want, right?

Please try this patch on top of a current snapshot.  It's pretty ugly but
seems to work.  Hopefully there's a nicer way...

Index: auth-pam.c
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.127
diff -u -p -r1.127 auth-pam.c
--- auth-pam.c	28 Sep 2005 12:33:27 -0000	1.127
+++ auth-pam.c	14 Jan 2006 03:12:19 -0000
@@ -439,8 +439,8 @@ sshpam_thread(void *ctxtp)
 		goto auth_fail;
 	if (compat20) {
-		if (!do_pam_account())
-			goto auth_fail;
+		do_pam_account();
+		sshpam_err = PAM_SUCCESS;
 		if (sshpam_authctxt->force_pwchange) {
 			sshpam_err = pam_chauthtok(sshpam_handle,

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list