PAM auth with disabled user
Paul Moore
paul.moore at centrify.com
Sat Jan 14 12:47:22 EST 2006
BTW it is our PAM module.
I guess you are saying that the PAM module should have a config choice
to say 'generate chatty failure messages'.
We then end up with
User: joe
Password :xxxxxxx
Your account is disabled please contact your system administrator
Password:
Which just looks stupid
It can of course be argued that sshd should have the config choice
'explain rejection reasons'. Since the pam_account returns 'account
locked' status you know what to say. The nice things about doing it that
way is
A) I don't have to write any code
B) You can be systematic about it (lets say you decide for some non PAM
reason to bounce a user - like the user does not exist)
C) For non retryable errors (like locked) you can stop prompting (so we
don't get the stupidness above)
-----Original Message-----
From: Darren Tucker [mailto:dtucker at zip.com.au]
Sent: Friday, January 13, 2006 5:26 PM
To: Paul Moore
Cc: dtucker at zip.com.au; openssh-unix-dev at mindrot.org
Subject: Re: PAM auth with disabled user
On Thu, Jan 12, 2006 at 11:45:27AM -0800, Paul Moore wrote:
> Our test was with 4.1p1
>
> I see that you display a message (if set). But then you proceed to
> repromt even though the pam module returned a disabled error code.
>
> I guess you are saying that the PAM module must tell the user they are
> disabled.
Yes. As a general rule, sshd tries to give the client no indication as
to why an authentication failed. If you want to PAM to provide some
information to the client then you can, but you need to configure PAM to
do so.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list