http://bugzilla.novell.com/show_bug.cgi?id=619789 http://bugzilla.novell.com/show_bug.cgi?id=619789#c1 Tim Mohlmann <muhlemmer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |muhlemmer@gmail.com Resolution| |INVALID Severity|Major |Minor --- Comment #1 from Tim Mohlmann <muhlemmer@gmail.com> 2010-07-25 19:35:07 UTC --- I believe the account should NOT be blocked.(I am actually sure off this) The shell has to be set to /usr/bin/nxserver in order to prevent anyone from logging into this acount and open a regular shell the system user "nx" is treated as a regular user when logging in. The nxclient first sets up an ssh connection to your sshd. It tries to log in with user "nx". sshd checks config if this user is allowed to log in through ssh (AllowedUsers or AllowedGroups option), then it uses Pam (EnablePam option in sshd_config) to check if the user is valid. If the user is disabled in yast, it is disabled for pam and so it is for sshd. The nxclient continues with pub key authentication for user "nx". If this is successful, another connection is made, to the localhost address of sshd, to use sshd's authentication setting to interact with pam, or whatever it's set to, to log in the actual user: you. All this done, it continues to locate and connect to the display... etc., The point: User nx won't work when it's blocked, this is how it should be. If you don't want to be it like this, you should use other authentication methods for sshd. (Eg. disable Pam is sshd config). You don't have to set a password for nx, when the user is added with "nxsetup --install" to user is added as enabled system user. As all system users, they are enabled, they have an alternate login shell (eg /bin/false) and some or no password set, which doen't matter for us. Anyway, it is an INVALID bug, since the programs are exactly working as they should be. You might consider to reopen the bug as an enhancement, motivating what you want to have changed. But being straightforward: allowing disabled users through sshd is not secure and will be a bug on itself. (Did you search if it was not an old bug or security hole which is fixed and thus changed the behaviour for you) Tim Mohlmann -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.