Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212421

Summary: net-misc/openssh ignores pam_nologin on auth chain.
Product: Gentoo Security Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: klausman
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-03-05 20:12:06 UTC 
Simple as that, seems like creating /etc/nologin to stop logins in ssh fails with it just in auth chain, it is needed also in account chain (which btw is not supported by Gentoo/FreeBSD's pam_nologin module; note to self: resurrect Gentoo/FreeBSD project and get Linux-PAM working on it).

I have it fixed in pambase, I can get it fixed for the old-school version (as I don't like the idea of stabling pambase right now), although that might require a bit more fiddling because of G/FBSD... on the other hand I can just get the G/FBSD keyword dropped for that revision so that they are limited to the pambase-enabled versions.
Comment 1 SpanKY gentoo-dev 2008-03-25 18:19:40 UTC 
does it only fail on BSD platforms ?  if so, that doesnt warrant a security notice.  just fix it and be done.
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2008-03-25 20:12:14 UTC 
No this happened on Linux/glibc, on x86, amd64 and alpha.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-06 13:59:10 UTC 
any news here? can we just make this public and close this one?
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-22 20:53:33 UTC 
(In reply to comment #3)
> any news here? can we just make this public and close this one?
> 

*ping*
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-13 10:18:02 UTC 
Works for me.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 20:15:58 UTC 
just talked to flameeyes, I'm unrestricting the bug.
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-11 15:54:02 UTC 
Security do you want to keep this one open? OpenSSH has been using pambase for a while now AFAICT.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 05:17:45 UTC 
I don't see any reason to keep this open. If anyone disagrees, please reopen.