Re: nologin not working with openssh >= 4.3 and authentication != passwo

To:	Michael Weiser <michael@weiser.dinsnail.net>
Subject:	Re: nologin not working with openssh >= 4.3 and authentication != password
From:	Damien Miller <djm@mindrot.org>
Date:	Tue, 23 Jan 2007 09:27:46 +1100 (EST)
Cc:	openssh-unix-dev@mindrot.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	openssh-unix-dev-list1@securepoint.com
Delivered-to:	openssh-unix-dev-tmda@mindrot.org
Delivered-to:	openssh-unix-dev@mindrot.org
In-reply-to:	<20070105165912.GA23074@weiser.dinsnail.net>
List-archive:	<http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help:	<mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id:	Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post:	<mailto:openssh-unix-dev@mindrot.org>
List-subscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
References:	<20070105165912.GA23074@weiser.dinsnail.net>
Sender:	openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org

To:

Michael Weiser <michael@weiser.dinsnail.net>

Subject:

Re: nologin not working with openssh >= 4.3 and authentication != password

From:

Damien Miller <djm@mindrot.org>

Date:

Tue, 23 Jan 2007 09:27:46 +1100 (EST)

Cc:

openssh-unix-dev@mindrot.org

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

openssh-unix-dev-list1@securepoint.com

Delivered-to:

openssh-unix-dev-tmda@mindrot.org

Delivered-to:

openssh-unix-dev@mindrot.org

In-reply-to:

<20070105165912.GA23074@weiser.dinsnail.net>

List-archive:

<http://lists.mindrot.org/pipermail/openssh-unix-dev>

List-help:

<mailto:openssh-unix-dev-request@mindrot.org?subject=help>

List-id:

Development of portable OpenSSH <openssh-unix-dev.mindrot.org>

List-post:

<mailto:openssh-unix-dev@mindrot.org>

List-subscribe:

<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>

List-unsubscribe:

<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>

References:

<20070105165912.GA23074@weiser.dinsnail.net>

Sender:

openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org

On Fri, 5 Jan 2007, Michael Weiser wrote:

> Hi developers,
> 
> today I tried to disable logins to an ssh server by putting a nologin
> file into /etc. This only worked for logins that use the password
> authentication mechanism. publickey-based authentications still
> succeeded and the users were allowed into the system. This seems
> straightforward to me since openssh 4.3 disabled the evaluation of
> /etc/nologin in favour of pam_nologin but doesn't use PAM for anything
> other than password-based logins, does it?

Yes, PAM account and session modules are run for non-password
authentications. My guess is that you have the nologin module in
the authentication section of your PAM config.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

<Prev in Thread]	Current Thread	[Next in Thread>
nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser Re: nologin not working with openssh >= 4.3 and authentication != password, Darren Tucker Re: nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser Re: nologin not working with openssh >= 4.3 and authentication != password, Damien Miller <=

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	remote port forwarding with dynamic port on the far end, Latchesar Ionkov
Next by Date:	Move servers public/private keys to a new host, petesea
Previous by Thread:	Re: nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser
Next by Thread:	How to remove group1 and group14 from OpenSSH.., Robert Waite
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

remote port forwarding with dynamic port on the far end, Latchesar Ionkov

Next by Date:

Move servers public/private keys to a new host, petesea

Previous by Thread:

Re: nologin not working with openssh >= 4.3 and authentication != password, Michael Weiser

Next by Thread:

How to remove group1 and group14 from OpenSSH.., Robert Waite

Indexes:

[Date] [Thread] [Top] [All Lists]