Darren Tucker
2007-Jan-08 16:35 UTC
nologin not working with openssh >= 4.3 and authentication != password
Michael Weiser wrote:> Hi developers, > > today I tried to disable logins to an ssh server by putting a nologin > file into /etc. This only worked for logins that use the password > authentication mechanism. publickey-based authentications still > succeeded and the users were allowed into the system. This seems > straightforward to me since openssh 4.3 disabled the evaluation of > /etc/nologin in favour of pam_nologin but doesn't use PAM for anything > other than password-based logins, does it?sshd uses the PAM auth stack for password or challenge-response (aka kbdint) authentications but uses the account and session stacks for all authentication methods.> Is this a known issue or even a non-issue due to a misunderstanding on > my part?Do you have pam_nologin in the auth stack only in the PAM config file? I suspect that you just need to add pam_nologin to the account stack. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Michael Weiser
2007-Jan-22 22:06 UTC
nologin not working with openssh >= 4.3 and authentication != password
Hi developers, today I tried to disable logins to an ssh server by putting a nologin file into /etc. This only worked for logins that use the password authentication mechanism. publickey-based authentications still succeeded and the users were allowed into the system. This seems straightforward to me since openssh 4.3 disabled the evaluation of /etc/nologin in favour of pam_nologin but doesn't use PAM for anything other than password-based logins, does it? Is this a known issue or even a non-issue due to a misunderstanding on my part? -- Thanks in advance, bye, Michael
Damien Miller
2007-Jan-22 22:27 UTC
nologin not working with openssh >= 4.3 and authentication != password
On Fri, 5 Jan 2007, Michael Weiser wrote:> Hi developers, > > today I tried to disable logins to an ssh server by putting a nologin > file into /etc. This only worked for logins that use the password > authentication mechanism. publickey-based authentications still > succeeded and the users were allowed into the system. This seems > straightforward to me since openssh 4.3 disabled the evaluation of > /etc/nologin in favour of pam_nologin but doesn't use PAM for anything > other than password-based logins, does it?Yes, PAM account and session modules are run for non-password authentications. My guess is that you have the nologin module in the authentication section of your PAM config. -d