[opensuse] Howto by pass ssh /etc/nologin
Hi all, I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass by ssh. I have modified /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth #auth required pam_nologin.so account include common-account password include common-password session include common-session When I try to ssh into the PC, I get logged in, but immediately got kicked out. In /var/log/messages I see this: sshd : User fajar is not allowed because /etc/nologin exists I have 'grep -r nologin /etc And have commented some of the entries in apparmor too, but still cannot login. I once succeeded in bypassing /etc/nologin, but I forget how. Thank you very much, -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 11:09pm up 17:09, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
Fajar Priyanto <fajarpri@cbn.net.id> wrote:
I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass by ssh. I have modified /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth #auth required pam_nologin.so [...]
When I try to ssh into the PC, I get logged in, but immediately got kicked out. In /var/log/messages I see this: sshd : User fajar is not allowed because /etc/nologin exists
I think it is not possible to configure sshd so that it ignores /etc/nologin. The check for /etc/nologin seems to be hard-codes in /usr/sbin/sshd: $ strings /usr/sbin/sshd | grep nologin /etc/nologin The login behaviour of sshd is described in its manual page (man sshd, section "LOGIN PROCESS"). The pam_nologin line in /etc/pam.d/sshd seems to be an additional check. Björn
On Monday 04 June 2007 23:25, Bjoern Voigt wrote:
Fajar Priyanto <fajarpri@cbn.net.id> wrote:
I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass by ssh. I have modified /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth #auth required pam_nologin.so
[...]
When I try to ssh into the PC, I get logged in, but immediately got kicked out. In /var/log/messages I see this: sshd : User fajar is not allowed because /etc/nologin exists
I think it is not possible to configure sshd so that it ignores /etc/nologin. The check for /etc/nologin seems to be hard-codes in /usr/sbin/sshd:
$ strings /usr/sbin/sshd | grep nologin /etc/nologin
Yes it is, but at least in 10.1 and 10.2, it is disabled if UsePAM is set to yes in /etc/ssh/sshd_config. In ssh versions before 4.3p1 it was always checked Commenting out the line in pam.d/sshd works for me on 10.1 and 10.2 btw, "strings" will only tell you if it looks at that file at all. It won't tell you anything about the logic surrounding it. Only the source code can do that -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 June 2007 05:04, Anders Johansson wrote:
Yes it is, but at least in 10.1 and 10.2, it is disabled if UsePAM is set to yes in /etc/ssh/sshd_config. In ssh versions before 4.3p1 it was always checked
Yes, I confirm this. On 10.2 I can ssh into it even there's /etc/nologin after I commented out /etc/pam.d/sshd: #%PAM-1.0 #auth requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session The machine that I'm trying to give the demo is SLES10. Man, I guess they've hardened the security on the server version. But, I can swear that I and my friend were able to by pass /etc/nologin on SLES10. I'll ask him ASAP. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 6:39am up 0:19, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
On Tuesday 05 June 2007 01:39, Fajar Priyanto wrote:
The machine that I'm trying to give the demo is SLES10.
No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but in fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have openssh 4.2p1, so it still checks /etc/nologin no matter what you do with pam At the moment I can't check what happens in SP1. I can do that tomorrow -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 05 June 2007 07:12, Anders Johansson wrote:
On Tuesday 05 June 2007 01:39, Fajar Priyanto wrote:
The machine that I'm trying to give the demo is SLES10.
No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but in fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have openssh 4.2p1, so it still checks /etc/nologin no matter what you do with pam
At the moment I can't check what happens in SP1. I can do that tomorrow
OK. Looking forward to it. By the way, do you know any nifty example on how to demo the work of PAM? Right now, the /etc/nologin is all I have. -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 7:37am up 1:16, 2.6.18.2-34-default GNU/Linux Let's use OpenOffice. http://www.openoffice.org
On Tuesday 05 June 2007 02:37, Fajar Priyanto wrote:
On Tuesday 05 June 2007 07:12, Anders Johansson wrote:
On Tuesday 05 June 2007 01:39, Fajar Priyanto wrote:
The machine that I'm trying to give the demo is SLES10.
No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but in fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have openssh 4.2p1, so it still checks /etc/nologin no matter what you do with pam
At the moment I can't check what happens in SP1. I can do that tomorrow
OK. Looking forward to it.
SP1 still has 4.2p1, no change there
By the way, do you know any nifty example on how to demo the work of PAM? Right now, the /etc/nologin is all I have.
Well, perhaps the password strength checkers? pam_motd? pam_chroot? There are quite a few modules in /lib/security. If I were you, I'd look through the docs in /usr/share/doc/packages/pam and play with it a little -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fajar Priyanto wrote:
Hi all, I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass by ssh. I have modified /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth #auth required pam_nologin.so account include common-account password include common-password session include common-session
When I try to ssh into the PC, I get logged in, but immediately got kicked out. In /var/log/messages I see this: sshd : User fajar is not allowed because /etc/nologin exists
Duh..that's the freaking POINT of /etc/nologin! Here's an idea -- THINK before you post!
I have 'grep -r nologin /etc And have commented some of the entries in apparmor too, but still cannot login. I once succeeded in bypassing /etc/nologin, but I forget how.
You REMOVE it. nologin...nologin...no login.... gee, what could that POSSIBLY mean??? DUH.
Thank you very much,
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Aaron Kulkis -
Anders Johansson -
Bjoern Voigt -
Fajar Priyanto