search for: _path_nologin

hi, the man page for sshd(1) says about /etc/nologin: "The file should be world-readable". However, nologin has no effect if it's not readable by the connecting user: if (pw->pw_uid) f = fopen(_PATH_NOLOGIN, "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ ... ... return(254) if root has a stricter mask than 022 it can easily happen that /etc/nologin can have 0600 permissions, for example. The user would not be able to send the file...

...6 @@ # define _PATH_MAILDIR MAILDIR #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ -#ifndef _PATH_RSH -# ifdef RSH_PATH -# define _PATH_RSH RSH_PATH -# else /* RSH_PATH */ -# define _PATH_RSH "/usr/bin/rsh" -# endif /* RSH_PATH */ -#endif /* _PATH_RSH */ - #ifndef _PATH_NOLOGIN # define _PATH_NOLOGIN "/etc/nologin" #endif

...+#ifndef _CRAY +# if !defined(HAVE_OSF_SIA) if (!options.use_login) { -# ifdef HAVE_LOGIN_CAP +# ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, _PATH_NOLOGIN), "r"); -# else /* HAVE_LOGIN_CAP */ +# else /* HAVE_LOGIN_CAP */ if (pw->pw_uid) f = fopen(_PATH_NOLOGIN, "r"); -# endif /* HAVE_LOGIN_CAP */ +# endif /* HAVE_LOGIN_CAP */ if...

...pw->pw_name, msg); } - /* Remove trailing newline */ - *--p = '\0'; - logit("Login restricted for %s: %.100s", pw->pw_name, - loginmsg); + /* Don't fail if /etc/nologin set */ + if (!(loginrestrict_errno == EPERM && + stat(_PATH_NOLOGIN, &st) == 0)) + return 0; } - /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && - stat(_PATH_NOLOGIN, &st) == 0)) - return 0; } #endif /* WITH_AIXAUTHENTICATE */ Index: session.c ================================================...

...message in /etc/nologin we have to ! * accept him here. Otherwise the message will just be logged and the ! * user gets only a permission denied message. ! */ ! if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0 && ! (errno != EPERM || ! stat(_PATH_NOLOGIN, &st) != 0)) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; Index: session.c =================================================================== RCS file: /usr/local/.cvs/auth/openssh/session.c,v retrieving revision 1.1.1.7 diff -c -r1.1.1...

...\ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->p...

...\ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->p...

...ly a problem for "UseLogin yes". - millert at cvs.openbsd.org 2000/08/20 12:30:59 [session.c] Only check /etc/nologin if "UseLogin no" since login(1) may have its own policy on determining who is allowed to login when /etc/nologin is present. Also use the _PATH_NOLOGIN define. - millert at cvs.openbsd.org 2000/08/20 12:42:43 [auth1.c auth2.c session.c ssh.c] Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the...