pam and openssh

[download (Jim Prewett)]

All,
I'm trying to use PAM to replicate the authorized user functionality in
commercial ssh.  In the past, I've patched openssh to do this, but I think
that solution is fairly ugly (and requires me to patch with each new
release of openssh which is really bad).

I want to do this:

0. use openssh for all communication with this machine.

1. check a user's identity using their password/key/etc.

2. if /etc/nologin exists, check a file /etc/authuser and if the user is
in that file, allow them anyway.  If /etc/nologin doesn't exist, allow the
user.

3. always allow root to log in (given a correct passwd, key, etc.)


After struggling with several PAM configurations, I put a debug line in
session.c and it seems to be overriding PAM!  /etc/nologin seems to always
be checked by openssh and the session gets closed if it exists (in
do_nologin() in session.c in 3.4p1).

Is this proper behaviour of openssh?

Am I missing something?

Thanks for any help you can provide,
Jim Prewett

p.s. I'm using a stock RedHat 7.3 GNU/Linux install and openssh is
configured like this:

./configure --with-privsep-user=nobody --with-tcp-wrappers --with-pam
--with-md5-passwords --with-ipv4-default

-------------------------------------------------------------------------------
\x83\xec\x0c\x31\xc0\x31\xd2\x68\x2f\x73\x68\x21\x68\x2f\x62\x69\x6e\x89\xe3
\x88\x43\x07\x50\x50\x53\x53\xb0\x3b\xcd\x80\x89\xf6  Don't forget FreeBSD!
-------------------------------------------------------------------------------