Hi, I have tested the current snapshot portable release (dated Jan 9 2004). configuration has: UsePAM yes PasswordAuthentication no ChallengeResponseAuthentication yes UsePrivilegeSeparation yes two problems: first pam_motd does not work anymore. second, I needed a quick way to disable normal user logins without disabling admin accounts (members of group wheel). the best option i could come up with is to write a new pam module similar to pam_nologin, mine is pam_noulogin. It works as both as an auth, and account module. It checks for /etc/noulogin and denies everyone except root and members of group wheel access when it exists, printing the contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation mechanism. so that this would work with both pubkey and password auth I configured the module as a requisite account module, this works, ssh denies access when it should, but it does not print the contents of /etc/noulogin. that is a problem since to the users it looks like ssh is malfunctioning and they bug me about why, if the noulogin file were printed properly they would get the proper explanation. if i make the module `optional' then the message is printed correctly, but obviously access isn't denied anymore. this is still curious since pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO message via the same conversation mechanism. here is the pam config ive tested with: #%PAM-1.0 auth requisite pam_noulogin.so auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed auth required pam_unix.so auth required pam_env.so # [1] auth required pam_shells.so account requisite pam_noulogin.so account required pam_unix.so session required pam_unix.so session required pam_limits.so session optional pam_motd.so # [1] session optional pam_mail.so standard # [1] password required pam_cracklib.so retry=3 minlen=8 difok=3 password required pam_unix.so use_authtok nullok md5 system is Debian 3.0 source to my pam_noulogin module is at penguinppc.org/~eb/pam-noulogin/ this module has also been tested with plain login, and works just as it should. source is available at http://penguinppc.org/~eb/files/pam-noulogin.tar.gz so that this may be tested by others. as an unrelated sidenote i tested password expiration and it seems to work properly, it looks like the pam issues are finally getting worked out, which is good news. I am not subscribed to this list, so CC'ing replies is requested. thanks -- Ethan Benson http://www.alaska.net/~erbenson/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040112/dc292223/attachment.bin
Ethan Benson wrote:> first pam_motd does not work anymore.It worked on RH8 when I tested it. I have a Debian test box here, I'll see if I can reproduce it.> second, I needed a quick way to disable normal user logins without > disabling admin accounts (members of group wheel). the best option i > could come up with is to write a new pam module similar to > pam_nologin, mine is pam_noulogin. It works as both as an auth, and > account module. It checks for /etc/noulogin and denies everyone except > root and members of group wheel access when it exists, printing the > contents of /etc/noulogin via a PAM_ERROR_MSG through the conversation > mechanism.Can you try it as a session module? I think the error will be output in that case because by the time the session module runs, you have a tty attached to the session.> so that this would work with both pubkey and password auth I > configured the module as a requisite account module, this works, ssh > denies access when it should, but it does not print the contents of > /etc/noulogin. that is a problem since to the users it looks like ssh > is malfunctioning and they bug me about why, if the noulogin file were > printed properly they would get the proper explanation.As a general policy, sshd will not tell a client *why* an authentication failed, in order to deny information to an attacker. Vanilla /etc/nologin is handled by sshd as a special case.> if i make the module `optional' then the message is printed correctly, > but obviously access isn't denied anymore. this is still curious since > pam_motd never works, and it prints /etc/motd with a PAM_TEXT_INFO > message via the same conversation mechanism. > > here is the pam config ive tested with: > > #%PAM-1.0 > > auth requisite pam_noulogin.so > auth required pam_listfile.so item=user sense=deny file=/etc/ssh/ssh_rsa_only onerr=succeed > auth required pam_unix.so > auth required pam_env.so # [1] > auth required pam_shells.so > account requisite pam_noulogin.so > account required pam_unix.so > session required pam_unix.so > session required pam_limits.so > session optional pam_motd.so # [1] > session optional pam_mail.so standard # [1] > password required pam_cracklib.so retry=3 minlen=8 difok=3 > password required pam_unix.so use_authtok nullok md5ENOFOOTNOTE?> system is Debian 3.0[snip]> as an unrelated sidenote i tested password expiration and it seems to > work properly, it looks like the pam issues are finally getting worked > out, which is good news.Excellent news, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Maybe Matching Threads
- [Bug 1002] sshd does not report failed PAM session modules to the client side
- [Bug 2876] New: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication
- PAM sessions and conversation functions
- sshd and pam , conversation
- [Bug 3481] New: PAM_TEXT_INFO messages are shown twice if they are the last conversation