similar to: nologin not working with openssh >= 4.3 and authentication != password

My apologies if this has already been discussed. I looked through the mailing list archives and couldn't see any mention of this problem. I compiled and installed openssh-2.3.0p1 on a sparc running SunOS 5.7, and while I was testing it to make sure everything was working properly, I noticed that when I used PAM to authenticate, rather than /bin/login, sshd was not honoring /etc/nologin. I

Hello everyone, I noticed recently that when I had /etc/nologin in place on my server I couldn't log in when I authenticated via passwords, but when I used RSA authentication I was able to log in no problem. I looked through the source, and I think I might see where the problem is. I have a Linux system, so sshd was compiled with PAM support. Using normal authentication, the pam_nologin

hi, the man page for sshd(1) says about /etc/nologin: "The file should be world-readable". However, nologin has no effect if it's not readable by the connecting user: if (pw->pw_uid) f = fopen(_PATH_NOLOGIN, "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ ... ... return(254) if root has a

On Thu, 10 Jan 2019 at 16:09, Kenneth Porter <shiva at sewingwitch.com> wrote: > I updated to CentOS 7.6 and something must have changed in the base OS > setup that prevents vsftpd from allowing logins for accounts with > /sbin/nologin as their shell. I had to add that to /etc/shells so that > such > accounts could FTP again. That file is in the setup package. Did it >

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

Hello, Still busy with details... Considering, as in my previous example, a password_query returning '!' or NULL for the "nologin" column, depending on an account's status (suspended or not). Let's consider a suspended user "some.user". In the case of a successful authentication, one has: sh-3.2# doveadm auth test some.user goodpassword; echo $? passdb:

Attached is a patch to be applied with GNU patch -p0, notice that configure needs to be regenerated. The patch addresses the following annoyances: * On AIX there is a signal called SIGDANGER which is sent to all processes when the machine runs low on virtual memory. This patch makes sure that this signal is ignored, because the default on older AIX releases is to kill the running process

I am running Dovecot with system users (userdb passwd), but some of those users don't have shell accounts on the IMAP server so their shell on that machine is set to /usr/sbin/nologin. Currently I am using maildirs and this is not a problem, but I am in the process of switching to dbox which means I will need a cronjob running 'doveadm purge -A'. During testing I found that those

http://bugzilla.mindrot.org/show_bug.cgi?id=1045 Summary: Missing option for ignoring the /etc/nologin file Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

I notice that the nologin parameter for the AUTH command is gone in version 1.1 of Dovecot Authentication Protocol. nologin was added in 1.1, so that authentication client could indicate that there will be no subsequent master requests to retrieve user info. Could we have nologin back please? Kirill

Hello, I have a basic e-mail server with Postfix 3.1 and Dovecot 2.2.22. I am using a passwd-file for both userdb and passdb: /etc/dovecot/dovecot.conf userdb { driver = passwd-file args = /etc/dovecot/passwd } passdb { driver = passwd-file args = /etc/dovecot/passwd } } In the passwd file, I want to have

I am having issues integrating a FC3 system with AD running on W2k3. I can not figure out why the user ID mappings and Group ID mappings are going stale. This is a generic FC3 install with all of the latest updates. login as: jgallagh Sent username "jgallagh" jgallagh@linman's password: Last login: Fri May 6 08:14:23 2005 from 192.168.168.2 id: cannot find name for group ID

Hi at all, in our test environment, I'm playing with dovecot 2.1.13 configured as imap/pop/managesieve proxy. It is configured to authenticate users with ldap and it works very well. Now, I'd like to temporary disable some users's login, because we are moving to another storage, and I wouldn't stop imap service at all. I've found on Dovecot wiki that I could use

Hi. I'm using nologin with own reason [1]. That works fine. For example pop3 client gets nice message like "-ERR [AUTH] Account is locked. Please contact support." Unfortunately maillog lacks information details about why user was not allowed to log in. pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2,

I'm seeing a problem under AIX (4.3.3, 5.1, 5.2) very similar to bug #178. It occurs with both 3.6.1p1 and openssh-SNAP-20030910. If /etc/nologin is present, a session requesting a pty will hang, apparently when the sshd parent tries to close the pty slave. As in bug #178, adding a brief sleep to the child sshd anytime after the fork seems to clear up the problem (though I agree that this

If the shell of user alpha is /sbin/nologin When use rsync with ssh mode, is it possible for alpha to use rsync to backup data? I don't permit alpha to login the backup server. Thanks very much! Best Regards! Jacky Kim .

I need to be able to setup a nologin system for users on my mail server on a per user basis. We are going to do some maintenance on each user (individually) and would like it if they could not login to dovecot while we do this. I was curious if dovecot implemented anything like this. We are currently using standard pam authentication (nothing db related) and I was hoping to be able to touch a

On Monday 21 of November 2016, @lbutlr wrote: > On Nov 21, 2016, at 7:39 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > reason is the only thing in maillog that allows to distinguish why user > > was not allowed to log in. > > Um? the only thing? How about where you set the reason in the first place? That "first" place is constantly changing

I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password

Hi there, I have just compiled up 3.6.1p2 both with and without Darren Tuckers passexpire patch. However, with the patch applied /etc/nologin isn't displayed to users (on AIX 5.1 / PSSP) The patched vesion seems to fail with "illegal user" - some parts of a debug 3 log... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0