openssh issue with PAM authentication errors

[Blake Hilliard]

Hi,

I noticed an issue with the information openssh chooses to print from PAM
during authentication.  It can be reproduced with the following steps,
assuming your system uses openssh, PAM, and allows password retries when
logging in:

1. From the root user on a system, create /etc/nologin with a message.
2. Try to log in with another session as a non-root user, but don't do a
password retry yet.
3. From the root user, remove /etc/nologin.
4. From the non-root session, retry the password.  This time you'll succeed,
but then you'll see the contents of /etc/nologin.  In fact, if you retried
again in step 2, then you'll see the contents of /etc/nologin printed twice.

This seems like the wrong behavior.  The contents of /etc/nologin are sent
as a PAM error message and stored in the variable "loginmsg" in openssh.
loginmsg is then only displayed if a retry succeeds.  At that point, the
printed message only applies to the failed authentications, not the
successful one.  And if you never successfully log in because /etc/nologin
is never removed, then you'll never see the /etc/nologin contents
displayed.  It should probably get printed after each login attempt, not as
a final login message.  That's how telnet behaves.

The more real-world use case where I've seen this is if you have a system
that uses /etc/nologin when booting up to prevent users from logging in
until a set of services are fully started.

Thanks,
- Blake