Re: nologin not working with openssh >= 4.3 and authentication != passwo

To:	Darren Tucker <dtucker@zip.com.au>
Subject:	Re: nologin not working with openssh >= 4.3 and authentication != password
From:	Michael Weiser <michael@weiser.dinsnail.net>
Date:	Mon, 8 Jan 2007 18:25:53 +0100
Cc:	openssh-unix-dev@mindrot.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	openssh-unix-dev-list1@securepoint.com
Delivered-to:	openssh-unix-dev-tmda@mindrot.org
Delivered-to:	tmda@mindrot.org
In-reply-to:	<45A272ED.4020206@zip.com.au>
List-archive:	<http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help:	<mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id:	Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post:	<mailto:openssh-unix-dev@mindrot.org>
List-subscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
Old-delivered-to:	openssh-unix-dev@mindrot.org
References:	<20070105165912.GA23074@weiser.dinsnail.net> <45A272ED.4020206@zip.com.au>
Sender:	openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org
User-agent:	Mutt/1.5.13 (2006-08-11)

To:

Darren Tucker <dtucker@zip.com.au>

Subject:

Re: nologin not working with openssh >= 4.3 and authentication != password

From:

Michael Weiser <michael@weiser.dinsnail.net>

Date:

Mon, 8 Jan 2007 18:25:53 +0100

Cc:

openssh-unix-dev@mindrot.org

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

openssh-unix-dev-list1@securepoint.com

Delivered-to:

openssh-unix-dev-tmda@mindrot.org

Delivered-to:

tmda@mindrot.org

In-reply-to:

<45A272ED.4020206@zip.com.au>

List-archive:

<http://lists.mindrot.org/pipermail/openssh-unix-dev>

List-help:

<mailto:openssh-unix-dev-request@mindrot.org?subject=help>

List-id:

Development of portable OpenSSH <openssh-unix-dev.mindrot.org>

List-post:

<mailto:openssh-unix-dev@mindrot.org>

List-subscribe:

<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>

List-unsubscribe:

<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>

Old-delivered-to:

openssh-unix-dev@mindrot.org

References:

<20070105165912.GA23074@weiser.dinsnail.net> <45A272ED.4020206@zip.com.au>

Sender:

openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org

User-agent:

Mutt/1.5.13 (2006-08-11)

On Tue, Jan 09, 2007 at 03:35:57AM +1100, Darren Tucker wrote:

> > file into /etc. This only worked for logins that use the password
> > authentication mechanism. publickey-based authentications still
> sshd uses the PAM auth stack for password or challenge-response (aka
> kbdint) authentications but uses the account and session stacks for all
> authentication methods.

> > Is this a known issue or even a non-issue due to a misunderstanding on
> > my part?
> Do you have pam_nologin in the auth stack only in the PAM config file?

Yes, exactly.

> I suspect that you just need to add pam_nologin to the account stack.

Thanks, that did it. The Gentoo sshd pam config seems to be broken that
way. I'll open a bug with them.

Thanks for your help and sorry for the (perhaps) FAQ.
-- 
bye, Micha
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

<Prev in Thread]	Current Thread	[Next in Thread>
nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker Re: nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser <= Re: nologin not working with openssh >= 4.3 and authentication != password, Damien Miller

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker
Next by Date:	Patches to current gssapi-with-mic support, Simon Wilkinson
Previous by Thread:	Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker
Next by Thread:	Re: nologin not working with openssh >= 4.3 and authentication != password, Damien Miller
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker

Next by Date:

Patches to current gssapi-with-mic support, Simon Wilkinson

Previous by Thread:

Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker

Next by Thread:

Re: nologin not working with openssh >= 4.3 and authentication != password, Damien Miller

Indexes:

[Date] [Thread] [Top] [All Lists]