nologin not working with openssh >= 4.3 and authentication != password

Michael Weiser michael at
Tue Jan 9 04:25:53 EST 2007

On Tue, Jan 09, 2007 at 03:35:57AM +1100, Darren Tucker wrote:

> > file into /etc. This only worked for logins that use the password
> > authentication mechanism. publickey-based authentications still
> sshd uses the PAM auth stack for password or challenge-response (aka
> kbdint) authentications but uses the account and session stacks for all
> authentication methods.

> > Is this a known issue or even a non-issue due to a misunderstanding on
> > my part?
> Do you have pam_nologin in the auth stack only in the PAM config file?

Yes, exactly.

> I suspect that you just need to add pam_nologin to the account stack.

Thanks, that did it. The Gentoo sshd pam config seems to be broken that
way. I'll open a bug with them.

Thanks for your help and sorry for the (perhaps) FAQ.
bye, Micha

More information about the openssh-unix-dev mailing list