All,
I'm trying to use PAM to replicate the authorized user functionality in
commercial ssh. In the past, I've patched openssh to do this, but I think
that solution is fairly ugly (and requires me to patch with each new
release of openssh which is really bad).
I want to do this:
0. use openssh for all communication with this machine.
1. check a user's identity using their password/key/etc.
2. if /etc/nologin exists, check a file /etc/authuser and if the user is
in that file, allow them anyway. If /etc/nologin doesn't exist, allow the
user.
3. always allow root to log in (given a correct passwd, key, etc.)
After struggling with several PAM configurations, I put a debug line in
session.c and it seems to be overriding PAM! /etc/nologin seems to always
be checked by openssh and the session gets closed if it exists (in
do_nologin() in session.c in 3.4p1).
Is this proper behaviour of openssh?
Am I missing something?
Thanks for any help you can provide,
Jim Prewett
p.s. I'm using a stock RedHat 7.3 GNU/Linux install and openssh is
configured like this:
./configure --with-privsep-user=nobody --with-tcp-wrappers --with-pam
--with-md5-passwords --with-ipv4-default
-------------------------------------------------------------------------------
\x83\xec\x0c\x31\xc0\x31\xd2\x68\x2f\x73\x68\x21\x68\x2f\x62\x69\x6e\x89\xe3
\x88\x43\x07\x50\x50\x53\x53\xb0\x3b\xcd\x80\x89\xf6 Don't forget FreeBSD!
-------------------------------------------------------------------------------
