http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c4 Rolf Krahl <rolf@rotkraut.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rolf@rotkraut.de --- Comment #4 from Rolf Krahl <rolf@rotkraut.de> 2010-04-18 09:52:21 UTC --- Reopen: this is not a bug in upstream ssh, but a bug in the pam config as installed by Suse. The ssh people are right, ssh's behaviour is absolutely correct: if a user is already authenticated by publickey or hostbased, there is no point in trying yet another authentication with PAM. pam_nologin has nothing to do with authentication, the presence of a /etc/nologin does not mean that all user passwords suddenly became invalid. It means that the system is currently unavailable for users. That is exactly what the account chain in PAM is intended for. Thus, placing pam_nologin in the auth chain is simply wrong. It belongs to the account chain, as Ludwig already pointed out. Suggested fix, variant 1 (to apply to the openssh src rpm): ------------------------------ --- sshd.pamd.orig 2010-04-15 16:20:12.221162258 +0200 +++ sshd.pamd 2010-04-18 11:23:25.877161497 +0200 @@ -1,6 +1,6 @@ #%PAM-1.0 -auth requisite pam_nologin.so auth include common-auth +account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so ------------------------------ An even broader solution would be to move pam_nologin to common-account. In fact, if a system is in maintenance and the admin creates a /etc/nologin to lock users temporarily out, usually all user activities should be disallowed at once, not just ssh logins. Suggested fix, variant 2 (to apply to the pam src rpm): ------------------------------ --- common-account.pamd.orig 2010-04-15 16:02:04.769163876 +0200 +++ common-account.pamd 2010-04-18 11:42:45.288253143 +0200 @@ -6,4 +6,5 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # +account requisite pam_nologin.so account required pam_unix2.so ------------------------------ Then, the pam_nologin line can be removed from the pam files in login, ppp, and openssh (and maybe other packages). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.