Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 151173 - PAM sshd pam_nologin and pam_shells never get executed
Summary: PAM sshd pam_nologin and pam_shells never get executed
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://forums.gentoo.org/viewtopic-t-...
Whiteboard: jaervosz
Keywords:
: 160959 (view as bug list)
Depends on: 182301 183886 183887 183888 183890 183958 183961
Blocks:
  Show dependency tree
 
Reported: 2006-10-13 06:23 UTC by wgja
Modified: 2007-09-09 19:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wgja 2006-10-13 06:23:01 UTC 
Hi,

I'm a bit confused by the order in which the pam modules are executed in the /etc/pam.d/sshd file for the 'auth' module-type on my gentoo box. Here are the relevant contents of /etc/pam.d/sshd:

auth include system-auth
auth required pam_shells.so
auth required pam_nologin.so

Which, when /etc/pam.d/system-auth is included, translates to:
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth required pam_shells.so
auth required pam_nologin.so

From my understanding of PAM, if unix authentication using the pam_unix module is successful, the 'sufficient' keyword tells PAM not to process the others down the list. Besides, if authentication has failed, pam_deny is executed, and it's irrelevant whether pam_shells and pam_nologin return success or failure.

Wouldn't it be better to have the pam_shells and pam_nologin modules execute before the pam_unix module?

Regards,
Will

emerge --info:
Portage 2.1.2_pre2-r9 (default-linux/x86/2006.1/desktop, gcc-3.4.6, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 Intel(R) Pentium(R) M processor 1.86GHz
Gentoo Base System version 1.12.5
Last Sync: Fri, 13 Oct 2006 01:53:01 +0000
Comment 1 Matt Drew (RETIRED) gentoo-dev 2006-10-13 07:06:19 UTC 
the same issue exists in:

/etc/pam.d/login
/etc/pam.d/xdm

Problem would result in the failure of /etc/nologin to function properly, and bypasses the /etc/shells check.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 23:32:49 UTC 
pam-bugs please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 08:27:18 UTC 
pam-bugs please advise.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-11 12:30:31 UTC 
The include line should probably be at the end instead of at the top.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-12-11 12:33:02 UTC 
yeah, the include line should be moved down.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 12:48:48 UTC 
Accepting bug and awaiting fixed ebuild.
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-12-11 14:31:36 UTC 
security: you'll have to find who the various broken files in /etc/pam.d/ belong to, and get them on here.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 21:04:43 UTC 
Duh, too many bugs to handle. Thx for the pointer robbat2:-)

Teams please fix your files placed in /etc/pam.d/:

/etc/pam.d/sshd
/etc/pam.d/login
/etc/pam.d/xdm
Comment 9 Donnie Berkholz (RETIRED) gentoo-dev 2006-12-11 22:03:09 UTC 
Fixed in xdm-1.1.2-r1, and for anyone who emerges any version after today.
Comment 10 Jakub Moc (RETIRED) gentoo-dev 2007-01-08 22:18:35 UTC 
*** Bug 160959 has been marked as a duplicate of this bug. ***
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-04-05 02:08:13 UTC 
base-system any word on this?  Thanks.
Comment 12 SpanKY gentoo-dev 2007-04-05 06:04:11 UTC 
base-system does not care about pam ... there's a reason we have a sep "pam-bugs" alias

if the pam buys want to fix something, they're free to change whatever pam files they like
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 12:11:10 UTC 
pam-bugs please advise.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-03 15:29:31 UTC 
pam-bugs please advise.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-10 08:08:21 UTC 
pam-bugs please advise.
Comment 16 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-06-10 18:03:48 UTC 
I thought we were sending this to base-system so that they could fix the shadow and openssh packages?
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-11 06:45:23 UTC 
Thx Robin, my memory is limited:)

base-system please advise.
Comment 18 SpanKY gentoo-dev 2007-06-13 05:28:49 UTC 
comment #12 still stands
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-13 19:17:46 UTC 
pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to base-system.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-01 02:11:09 UTC 
pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to base-system so we can get this one closed.
Comment 21 Jakub Moc (RETIRED) gentoo-dev 2007-09-04 00:23:01 UTC 
(In reply to comment #20)
> pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to
> base-system so we can get this one closed.

AFAICT there's nothing left to be fixed here.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-09 19:16:44 UTC 
Thx for the pointer Jakub. I'll close this one now (only mips is left on bug #182301).