Date: Thu, 10 May 2007 17:45:31 +0400 (MSD) From: Yar Tikhiy <yar@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: des@FreeBSD.org Subject: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key Message-ID: <200705101345.l4ADjV8v062085@jujik.ramtel.ru> Resent-Message-ID: <200705101430.l4AEU99o001559@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112574 >Category: bin >Synopsis: sshd(8) ignores nologin(5) if using PAM and public key >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 10 14:30:04 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Yar Tikhiy >Release: FreeBSD 7.0-CURRENT i386 >Organization: none >Environment: System: FreeBSD jujik.ramtel.ru 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sun Apr 22 15:52:48 MSD 2007 root@jujik.ramtel.ru:/usr/src/sys/i386/compile/JTEST i386 >Description: If sshd(8) uses PAM, which is default, nologin(5) has no effect for sessions using public key authentication. My analysis: Currently, pam_nologin(8) provides its service via pam_sm_authenticate() and the PAM authentication stack. But sshd(8) doesn't seem to invoke PAM authentication stack if the session uses public key authentication, it handles that kind of authentication internally, so pam_nologin(8) has no chance to do its job in that case. >How-To-Repeat: Create /var/run/nologin and try to log into the system with public key authentication as a non-root user. See successful login. >Fix: Arguably, pam_nologin(8) should do account management, not authentication. It's more logical and it should work for sshd(8), as the latter calls PAM account management stack irrespective of authentication method used earlier in the session. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705101345.l4ADjV8v062085>