Bug 160959

The current openssh sshd pam config file looks like this:

auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

The system-auth file looks like this:

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

This is broken in two ways:

1. since system-auth is included first from sshd and pam_unix is sufficient for authentication, pam_nologin and pam_shells will never be called if password authentication is successful and therefore might not be able to prevent login.

2. sshd uses the auth stack only for password authentication. Therefore pam_nologin is not able to prevent publickey or gssapi authenticated logins if /etc/nologin exists. This can be solved by adding pam_nologin to account as well.

My corrected sshd pam config looks like this:

auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

BTW: Fedora has pam_nologin only in account.

The respective ebuilds are:

sys-libs/pam-0.99.6.3-r2
net-misc/openssh-4.5_p1


Reproducible: Always




More information on this can be found at:

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=116811032504056&w=2
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=116827475613866&w=2