[Bug 530885] New: sshd fails to honour /etc/nologin presence when ssh keys used during login
http://bugzilla.novell.com/show_bug.cgi?id=530885
Summary: sshd fails to honour /etc/nologin presence when ssh keys used during login Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: liam.gretton@leicester.ac.uk QAContact: qa@suse.de Found By: ---
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
With the pam module pam_nologin in use, all non-root logins are supposed to be prevented if the file /etc/nologin exists.
SSH fails to prevent user logins if /etc/nologin exists and the user authenticates with a key. Authentications with a password are successfully prevented, as expected.
Reproducible: Always
Steps to Reproduce: 1. Add pam_nologin to /etc/pam.d/login: auth requisite pam_nologin.so 2. Create /etc/nologin 3. Log in via SSH with a password. Login will be correctly prevented. 4. Log in via SSH with a key. Login is successful. Actual Results: SSH login with a key is not prevented by pam_nologin.
Expected Results: SSH login with a key should be prevented by pam_nologin when /etc/nologin is present.
openssh-5.1p1-40.15 pam-1.0.2-13.4
http://bugzilla.novell.com/show_bug.cgi?id=530885
Thomas Biege thomas@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |anicka@novell.com
http://bugzilla.novell.com/show_bug.cgi?id=530885
User anicka@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c1
Anna Bernathova anicka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |WONTFIX
--- Comment #1 from Anna Bernathova anicka@novell.com 2009-08-14 09:15:05 MDT --- I am sorry but the key authentication goes around pam and AFAIK upstream considers it a feature that they want to work this way.
Anyway, as we are trying to be as close to the upstream version for security reasons, I am not going to change it. The eventual request for a different behavior should go to upstream.
http://bugzilla.novell.com/show_bug.cgi?id=530885
User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c2
--- Comment #2 from Ludwig Nussel lnussel@novell.com 2009-08-18 06:31:30 MDT --- FWIW it works if you use 'account' instead of 'auth'. Also, the correct file to modify is /etc/pam.d/sshd
http://bugzilla.novell.com/show_bug.cgi?id=530885
User liam.gretton@leicester.ac.uk added comment http://bugzilla.novell.com/show_bug.cgi?id=530885#c3
--- Comment #3 from Liam Gretton liam.gretton@leicester.ac.uk 2009-11-09 08:30:40 MST --- Ludwig - thanks for that, SSH logins with keyboard and key auth are indeed prevented with account instead of auth in /etc/pam.d/sshd.
For anyone else's benefit then, here's my /etc/pam.d/sshd file:
account requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c4
Rolf Krahl rolf@rotkraut.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rolf@rotkraut.de
--- Comment #4 from Rolf Krahl rolf@rotkraut.de 2010-04-18 09:52:21 UTC --- Reopen: this is not a bug in upstream ssh, but a bug in the pam config as installed by Suse.
The ssh people are right, ssh's behaviour is absolutely correct: if a user is already authenticated by publickey or hostbased, there is no point in trying yet another authentication with PAM. pam_nologin has nothing to do with authentication, the presence of a /etc/nologin does not mean that all user passwords suddenly became invalid. It means that the system is currently unavailable for users. That is exactly what the account chain in PAM is intended for.
Thus, placing pam_nologin in the auth chain is simply wrong. It belongs to the account chain, as Ludwig already pointed out.
Suggested fix, variant 1 (to apply to the openssh src rpm): ------------------------------ --- sshd.pamd.orig 2010-04-15 16:20:12.221162258 +0200 +++ sshd.pamd 2010-04-18 11:23:25.877161497 +0200 @@ -1,6 +1,6 @@ #%PAM-1.0 -auth requisite pam_nologin.so auth include common-auth +account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so ------------------------------
An even broader solution would be to move pam_nologin to common-account. In fact, if a system is in maintenance and the admin creates a /etc/nologin to lock users temporarily out, usually all user activities should be disallowed at once, not just ssh logins.
Suggested fix, variant 2 (to apply to the pam src rpm): ------------------------------ --- common-account.pamd.orig 2010-04-15 16:02:04.769163876 +0200 +++ common-account.pamd 2010-04-18 11:42:45.288253143 +0200 @@ -6,4 +6,5 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # +account requisite pam_nologin.so account required pam_unix2.so ------------------------------ Then, the pam_nologin line can be removed from the pam files in login, ppp, and openssh (and maybe other packages).
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c5
Rolf Krahl rolf@rotkraut.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|WONTFIX |
--- Comment #5 from Rolf Krahl rolf@rotkraut.de 2010-04-18 09:53:48 UTC --- see above
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c6
Ludwig Nussel lnussel@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Version|Final |Factory Product|openSUSE 11.1 |openSUSE 11.3 Target Milestone|--- |Factory
--- Comment #6 from Ludwig Nussel lnussel@novell.com 2010-04-19 09:06:51 CEST --- moving to 11.3
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c7
Anna Bernathova anicka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |mc@novell.com
--- Comment #7 from Anna Bernathova anicka@novell.com 2010-04-20 09:32:34 UTC --- Michael, what do you think about it?
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c8
Michael Calmer mc@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED CC| |mc@novell.com InfoProvider|mc@novell.com |
--- Comment #8 from Michael Calmer mc@novell.com 2010-04-20 09:51:45 UTC --- Please change /etc/pam.d/sshd directly. This module may make trouble if it is used in modules which are not directly used to let a user login into the system.
/etc/pam.d/sshd : #%PAM-1.0 auth requisite pam_nologin.so auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session
Even "auth" is already part of the sshd file, so we should add account too.
http://bugzilla.novell.com/show_bug.cgi?id=530885
http://bugzilla.novell.com/show_bug.cgi?id=530885#c9
Anna Bernathova anicka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED
--- Comment #9 from Anna Bernathova anicka@novell.com 2010-04-23 10:03:55 UTC --- Fixed for factory (request id 38569).
http://bugzilla.novell.com/show_bug.cgi?id=530885 http://bugzilla.novell.com/show_bug.cgi?id=530885#c10
--- Comment #10 from Bernhard Wiedemann bwiedemann@suse.com --- This is an autogenerated message for OBS integration: This bug (530885) was mentioned in https://build.opensuse.org/request/show/38569 Factory / openssh
http://bugzilla.novell.com/show_bug.cgi?id=530885
SMASH SMASH smash_bz@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |
-
bugzilla_noreply@novell.com