[Bug 619789] New: ssh access using keypair doesnot work with locked account
http://bugzilla.novell.com/show_bug.cgi?id=619789 http://bugzilla.novell.com/show_bug.cgi?id=619789#c0 Summary: ssh access using keypair doesnot work with locked account Classification: openSUSE Product: openSUSE 11.3 Version: RC 2 Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: f.de.kruijf@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; nl; rv:1.9.2.6) Gecko/20100626 SUSE/3.6.6-1.1 Firefox/3.6.6 FreeNX uses a locked account, named nx, for access. For this account access using .ssh/authorized_key2 is implemented. The private key is on the client end. The entry in /etc/passwd is: "nx:x:1100:200::/var/lib/nxserver/home:/usr/bin/nxserver" The entry in /etc/shadow is: "nx:!:14791:0:99999:7:::" This type of access is now blocked. Setting "pam-config -a --pam-debug" and using the command "ssh -i /var/lib/nxserver/home/.ssh/client.id_dsa.key nx@localhost" shows the following in /var/log/messages: Jul 4 17:42:52 eik113 sshd[4042]: pam_unix2(sshd:account): pam_sm_acct_mgmt() called Jul 4 17:42:52 eik113 sshd[4042]: pam_unix2(sshd:account): username=[nx] Jul 4 17:42:52 eik113 sshd[4042]: pam_unix2(sshd:account): expire() returned with 0 Jul 4 17:42:52 eik113 sshd[4042]: pam_unix2(sshd:account): Account is locked for nx This used to work in previous versions of openSUSE. The workaround is to enter a password for the account Reproducible: Always Steps to Reproduce: 1. Install FreeNX 2. Run nxsetup --install 3. Try to make a connection using a nxclient or give the above mentioned ssh command. The respons should show: HELLO NXSERVER - Version 2.1.0-72 OS (GPL, using backend: 3.2.0) NX> 105 However it shows: Connection closed by 127.0.0.1 In case this is required PAM behaviour, the FreeNX package should be changed and the generated nx account should be accessable using a keypair. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619789 http://bugzilla.novell.com/show_bug.cgi?id=619789#c yang xiaoyu <xyyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |dmueller@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=619789 http://bugzilla.novell.com/show_bug.cgi?id=619789#c1 Tim Mohlmann <muhlemmer@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |muhlemmer@gmail.com Resolution| |INVALID Severity|Major |Minor --- Comment #1 from Tim Mohlmann <muhlemmer@gmail.com> 2010-07-25 19:35:07 UTC --- I believe the account should NOT be blocked.(I am actually sure off this) The shell has to be set to /usr/bin/nxserver in order to prevent anyone from logging into this acount and open a regular shell the system user "nx" is treated as a regular user when logging in. The nxclient first sets up an ssh connection to your sshd. It tries to log in with user "nx". sshd checks config if this user is allowed to log in through ssh (AllowedUsers or AllowedGroups option), then it uses Pam (EnablePam option in sshd_config) to check if the user is valid. If the user is disabled in yast, it is disabled for pam and so it is for sshd. The nxclient continues with pub key authentication for user "nx". If this is successful, another connection is made, to the localhost address of sshd, to use sshd's authentication setting to interact with pam, or whatever it's set to, to log in the actual user: you. All this done, it continues to locate and connect to the display... etc., The point: User nx won't work when it's blocked, this is how it should be. If you don't want to be it like this, you should use other authentication methods for sshd. (Eg. disable Pam is sshd config). You don't have to set a password for nx, when the user is added with "nxsetup --install" to user is added as enabled system user. As all system users, they are enabled, they have an alternate login shell (eg /bin/false) and some or no password set, which doen't matter for us. Anyway, it is an INVALID bug, since the programs are exactly working as they should be. You might consider to reopen the bug as an enhancement, motivating what you want to have changed. But being straightforward: allowing disabled users through sshd is not secure and will be a bug on itself. (Did you search if it was not an old bug or security hole which is fixed and thus changed the behaviour for you) Tim Mohlmann -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=619789 https://bugzilla.novell.com/show_bug.cgi?id=619789#c2 Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Markus.Kuhn@cl.cam.ac.uk --- Comment #2 from Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> 2011-02-06 12:43:54 UTC --- Workaround: in /etc/shadow, replace any occurrence of ":!:" with ":*:", see bug #625347. This probably should go into the release notes and "man shadow", as this subtle change in the semantics of /etc/shadow regarding ! versus * will cause a lot of headaches for people upgrading to openSUSE 11.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com