On Sat, Nov 05, 2005 at 03:07:50PM +0530, Senthil Kumar
wrote:> Im using OpenSSH 4.2p1. Suppose I disable non-root logins to my system
> through /etc/nologin file, SSH writes an entry for the non-root user in
wtmp
> file. This is because the writing in wtmp file happens in parent process
> where checking of nologin file happens in the child one. I like to know
> whether we should put an entry in wtmp file for such denied logins.
>From sshd's perspective, what's happening is that the session is
permitted
but exits immediately after showing the user the contents of /etc/nologin.
The login recording happens when the pty is allocated. Should it do that?
Probably not.
That behaviour could be changed by checking for /etc/nologin earlier.
The trick is you'd have to do it before the pty allocation.
Basically, you check nologin and if found, append the content to
loginmsg and setting a nologin flag. That flag would need to deny the
pty request and cause the shell child to exit immediately after displaying
the loginmsg.
I did something along those lines at one point to make the BSM audit
code able to audit nologin events. I might be able to dig that up.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.