nologin not working with openssh >= 4.3 and authentication != password

Darren Tucker dtucker at
Tue Jan 9 03:35:57 EST 2007

Michael Weiser wrote:
> Hi developers,
> today I tried to disable logins to an ssh server by putting a nologin
> file into /etc. This only worked for logins that use the password
> authentication mechanism. publickey-based authentications still
> succeeded and the users were allowed into the system. This seems
> straightforward to me since openssh 4.3 disabled the evaluation of
> /etc/nologin in favour of pam_nologin but doesn't use PAM for anything
> other than password-based logins, does it?

sshd uses the PAM auth stack for password or challenge-response (aka
kbdint) authentications but uses the account and session stacks for all
authentication methods.

> Is this a known issue or even a non-issue due to a misunderstanding on
> my part?

Do you have pam_nologin in the auth stack only in the PAM config file?
I suspect that you just need to add pam_nologin to the account stack.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list