nologin not working with openssh >= 4.3 and authentication != password

Damien Miller djm at mindrot.org
Tue Jan 23 09:27:46 EST 2007


On Fri, 5 Jan 2007, Michael Weiser wrote:

> Hi developers,
> 
> today I tried to disable logins to an ssh server by putting a nologin
> file into /etc. This only worked for logins that use the password
> authentication mechanism. publickey-based authentications still
> succeeded and the users were allowed into the system. This seems
> straightforward to me since openssh 4.3 disabled the evaluation of
> /etc/nologin in favour of pam_nologin but doesn't use PAM for anything
> other than password-based logins, does it?

Yes, PAM account and session modules are run for non-password
authentications. My guess is that you have the nologin module in
the authentication section of your PAM config.

-d


More information about the openssh-unix-dev mailing list