[Bug 530885] New: sshd fails to honour /etc/nologin presence when ssh keys used during login
http://bugzilla.novell.com/show_bug.cgi?id=530885 Summary: sshd fails to honour /etc/nologin presence when ssh keys used during login Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: liam.gretton@leicester.ac.uk QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 With the pam module pam_nologin in use, all non-root logins are supposed to be prevented if the file /etc/nologin exists. SSH fails to prevent user logins if /etc/nologin exists and the user authenticates with a key. Authentications with a password are successfully prevented, as expected. Reproducible: Always Steps to Reproduce: 1. Add pam_nologin to /etc/pam.d/login: auth requisite pam_nologin.so 2. Create /etc/nologin 3. Log in via SSH with a password. Login will be correctly prevented. 4. Log in via SSH with a key. Login is successful. Actual Results: SSH login with a key is not prevented by pam_nologin. Expected Results: SSH login with a key should be prevented by pam_nologin when /etc/nologin is present. openssh-5.1p1-40.15 pam-1.0.2-13.4 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |anicka@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 User anicka@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c1 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |WONTFIX --- Comment #1 from Anna Bernathova <anicka@novell.com> 2009-08-14 09:15:05 MDT --- I am sorry but the key authentication goes around pam and AFAIK upstream considers it a feature that they want to work this way. Anyway, as we are trying to be as close to the upstream version for security reasons, I am not going to change it. The eventual request for a different behavior should go to upstream. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c2 --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2009-08-18 06:31:30 MDT --- FWIW it works if you use 'account' instead of 'auth'. Also, the correct file to modify is /etc/pam.d/sshd -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 User liam.gretton@leicester.ac.uk added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c3 --- Comment #3 from Liam Gretton <liam.gretton@leicester.ac.uk> 2009-11-09 08:30:40 MST --- Ludwig - thanks for that, SSH logins with keyboard and key auth are indeed prevented with account instead of auth in /etc/pam.d/sshd. For anyone else's benefit then, here's my /etc/pam.d/sshd file: account requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c4 Rolf Krahl <rolf@rotkraut.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rolf@rotkraut.de --- Comment #4 from Rolf Krahl <rolf@rotkraut.de> 2010-04-18 09:52:21 UTC --- Reopen: this is not a bug in upstream ssh, but a bug in the pam config as installed by Suse. The ssh people are right, ssh's behaviour is absolutely correct: if a user is already authenticated by publickey or hostbased, there is no point in trying yet another authentication with PAM. pam_nologin has nothing to do with authentication, the presence of a /etc/nologin does not mean that all user passwords suddenly became invalid. It means that the system is currently unavailable for users. That is exactly what the account chain in PAM is intended for. Thus, placing pam_nologin in the auth chain is simply wrong. It belongs to the account chain, as Ludwig already pointed out. Suggested fix, variant 1 (to apply to the openssh src rpm): ------------------------------ --- sshd.pamd.orig 2010-04-15 16:20:12.221162258 +0200 +++ sshd.pamd 2010-04-18 11:23:25.877161497 +0200 @@ -1,6 +1,6 @@ #%PAM-1.0 -auth requisite pam_nologin.so auth include common-auth +account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so ------------------------------ An even broader solution would be to move pam_nologin to common-account. In fact, if a system is in maintenance and the admin creates a /etc/nologin to lock users temporarily out, usually all user activities should be disallowed at once, not just ssh logins. Suggested fix, variant 2 (to apply to the pam src rpm): ------------------------------ --- common-account.pamd.orig 2010-04-15 16:02:04.769163876 +0200 +++ common-account.pamd 2010-04-18 11:42:45.288253143 +0200 @@ -6,4 +6,5 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # +account requisite pam_nologin.so account required pam_unix2.so ------------------------------ Then, the pam_nologin line can be removed from the pam files in login, ppp, and openssh (and maybe other packages). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c5 Rolf Krahl <rolf@rotkraut.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|WONTFIX | --- Comment #5 from Rolf Krahl <rolf@rotkraut.de> 2010-04-18 09:53:48 UTC --- see above -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c6 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Version|Final |Factory Product|openSUSE 11.1 |openSUSE 11.3 Target Milestone|--- |Factory --- Comment #6 from Ludwig Nussel <lnussel@novell.com> 2010-04-19 09:06:51 CEST --- moving to 11.3 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c7 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |mc@novell.com --- Comment #7 from Anna Bernathova <anicka@novell.com> 2010-04-20 09:32:34 UTC --- Michael, what do you think about it? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c8 Michael Calmer <mc@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED CC| |mc@novell.com InfoProvider|mc@novell.com | --- Comment #8 from Michael Calmer <mc@novell.com> 2010-04-20 09:51:45 UTC --- Please change /etc/pam.d/sshd directly. This module may make trouble if it is used in modules which are not directly used to let a user login into the system. /etc/pam.d/sshd : #%PAM-1.0 auth requisite pam_nologin.so auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session Even "auth" is already part of the sshd file, so we should add account too. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c9 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #9 from Anna Bernathova <anicka@novell.com> 2010-04-23 10:03:55 UTC --- Fixed for factory (request id 38569). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (530885) was mentioned in https://build.opensuse.org/request/show/38569 Factory / openssh -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=530885 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com