My apologies if this has already been discussed. I looked through the
mailing list archives and couldn't see any mention of this problem. I
compiled and installed openssh-2.3.0p1 on a sparc running SunOS 5.7, and
while I was testing it to make sure everything was working properly, I
noticed that when I used PAM to authenticate, rather than /bin/login, sshd
was not honoring /etc/nologin.
I took a real quick look through the source code and found this at line
1022 of session.c:
#ifndef USE_PAM /* pam_nologin handles this */
if (!options.use_login) {
Now that seems like it's probably the right way to handle /etc/nologin
under PAM authenticated linux systems, however there's one problem: Sun
doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates
the user, and since openssh is told not to look for /etc/nologin, it lets
the user log in.
I could fix this by having sshd use /bin/login, but I'd really rather not.
I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM
*/" lines and
it worked fine. I'm not suggesting that as the fix for the bug, but it
certainly works.
Besides, I can't see the harm in having sshd check /etc/nologin even if
there is a pam_nologin module that's supposed to check for it. I'd view
it as an extra guarantee that /etc/nologin really means no logins even if
some script kiddie or incompetent admin has been playing around with the
system's PAM configuration.
Thanks for your time,
David Ressman
P.S. Here's the patch I used to fix the problem:
*** session.c.orig Sat Jan 20 14:09:42 2001
--- session.c Sat Jan 20 14:10:02 2001
***************
*** 1019,1025 ****
if (options.use_login && command != NULL)
options.use_login = 0;
- #ifndef USE_PAM /* pam_nologin handles this */
if (!options.use_login) {
# ifdef HAVE_LOGIN_CAP
if (!login_getcapbool(lc, "ignorenologin", 0)
&& pw->pw_uid)
--- 1019,1024 ----
***************
*** 1037,1043 ****
exit(254);
}
}
- #endif /* USE_PAM */
/* Set login name, uid, gid, and groups. */
/* Login(1) does this as well, and it needs uid 0 for the "-h"
--- 1036,1041 ----
First one nit, there is no Bug in Solaris with respect to nologin, just a different mechanism to what you get under the distributions of Linux that have PAM support and ship a pam_nologin. On Solaris /etc/nologin is checked directly by /bin/login and dtlogin.>Now that seems like it's probably the right way to handle /etc/nologinI would agree that using PAM to check nologin is a better method, but not doing so is not a bug in Solaris.>under PAM authenticated linux systems, however there's one problem: Sun >doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates >the user, and since openssh is told not to look for /etc/nologin, it lets >the user log in.This was exactly the rational for not having PAM be enabled by default.>I could fix this by having sshd use /bin/login, but I'd really rather not. >I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM */" lines and >it worked fine. I'm not suggesting that as the fix for the bug, but it >certainly works.The problem here is there is a large (an IMO increasing) overlap between stuff being done inside sshd and stuff that really should be done by PAM on systems that have it - eg the group access stuff is perfect for a PAM module. Problem here is that while the PAM framework is (almost) the same on all platforms the available modules is very different. This makes it very difficult to choose what to compile directly into the sshd program and what to expect PAM to beable to check. As for the particular case of nologin then I am fully aware of it and hope to have a PAM module will do this check in some future release of Solaris. (The code is written it is proccess and testing that needs done, not this is not an Engineering comittment to actuall provide this, just a heads up that we are aware of it and could do it if we get approval).>Besides, I can't see the harm in having sshd check /etc/nologin even if >there is a pam_nologin module that's supposed to check for it. I'd view >it as an extra guarantee that /etc/nologin really means no logins even if >some script kiddie or incompetent admin has been playing around with the >system's PAM configuration.I would treat this in a similar way to /etc/motd, ie add an sshd_config file option for it so that the server can be set to check it for systems that don't do it in PAM and set not to for those that do. It then reduces the problem to a default config issue for distribution builders. This is better than SSHD always checking it even if PAM is going to check it again later (Race conditions, slightly differing symantics etc etc), otherwise you will get someone complaining that it checks it twice and it is slowing down their login (believe me I've had reports like this from customers before for telnet!). -- Darren J Moffat