http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c4
Rolf Krahl changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rolf@rotkraut.de
--- Comment #4 from Rolf Krahl 2010-04-18 09:52:21 UTC ---
Reopen: this is not a bug in upstream ssh, but a bug in the pam config as
installed by Suse.
The ssh people are right, ssh's behaviour is absolutely correct: if a user is
already authenticated by publickey or hostbased, there is no point in trying
yet another authentication with PAM. pam_nologin has nothing to do with
authentication, the presence of a /etc/nologin does not mean that all user
passwords suddenly became invalid. It means that the system is currently
unavailable for users. That is exactly what the account chain in PAM is
intended for.
Thus, placing pam_nologin in the auth chain is simply wrong. It belongs to the
account chain, as Ludwig already pointed out.
Suggested fix, variant 1 (to apply to the openssh src rpm):
------------------------------
--- sshd.pamd.orig 2010-04-15 16:20:12.221162258 +0200
+++ sshd.pamd 2010-04-18 11:23:25.877161497 +0200
@@ -1,6 +1,6 @@
#%PAM-1.0
-auth requisite pam_nologin.so
auth include common-auth
+account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
------------------------------
An even broader solution would be to move pam_nologin to common-account. In
fact, if a system is in maintenance and the admin creates a /etc/nologin to
lock users temporarily out, usually all user activities should be disallowed at
once, not just ssh logins.
Suggested fix, variant 2 (to apply to the pam src rpm):
------------------------------
--- common-account.pamd.orig 2010-04-15 16:02:04.769163876 +0200
+++ common-account.pamd 2010-04-18 11:42:45.288253143 +0200
@@ -6,4 +6,5 @@
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
+account requisite pam_nologin.so
account required pam_unix2.so
------------------------------
Then, the pam_nologin line can be removed from the pam files in login, ppp, and
openssh (and maybe other packages).
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.