PAM auth with disabled user

Paul Moore paul.moore at
Sat Jan 14 12:47:22 EST 2006

BTW it is our PAM module.

I guess you are saying that the PAM module should have a config choice
to say 'generate chatty failure messages'.

We then end up with

User: joe
Password :xxxxxxx
Your account is disabled please contact your system administrator

Which just looks stupid

It can of course be argued that sshd should have the config choice
'explain rejection reasons'. Since the pam_account returns 'account
locked' status you know what to say. The nice things about doing it that
way is

A) I don't have to write any code
B) You can be systematic about it (lets say you decide for some non PAM
reason to bounce a user - like the user does not exist)
C) For non retryable errors (like locked) you can stop prompting (so we
don't get the stupidness above)

-----Original Message-----
From: Darren Tucker [mailto:dtucker at] 
Sent: Friday, January 13, 2006 5:26 PM
To: Paul Moore
Cc: dtucker at; openssh-unix-dev at
Subject: Re: PAM auth with disabled user

On Thu, Jan 12, 2006 at 11:45:27AM -0800, Paul Moore wrote:
> Our test was with 4.1p1
> I see that you display a message (if set). But then you proceed to 
> repromt even though the pam module returned a disabled error code.
> I guess you are saying that the PAM module must tell the user they are

> disabled.

Yes.  As a general rule, sshd tries to give the client no indication as
to why an authentication failed.  If you want to PAM to provide some
information to the client then you can, but you need to configure PAM to
do so.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list