nologin not working with openssh >= 4.3 and authentication != password
Darren Tucker
dtucker at zip.com.au
Tue Jan 9 03:35:57 EST 2007
Michael Weiser wrote:
> Hi developers,
>
> today I tried to disable logins to an ssh server by putting a nologin
> file into /etc. This only worked for logins that use the password
> authentication mechanism. publickey-based authentications still
> succeeded and the users were allowed into the system. This seems
> straightforward to me since openssh 4.3 disabled the evaluation of
> /etc/nologin in favour of pam_nologin but doesn't use PAM for anything
> other than password-based logins, does it?
sshd uses the PAM auth stack for password or challenge-response (aka
kbdint) authentications but uses the account and session stacks for all
authentication methods.
> Is this a known issue or even a non-issue due to a misunderstanding on
> my part?
Do you have pam_nologin in the auth stack only in the PAM config file?
I suspect that you just need to add pam_nologin to the account stack.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list