Bug#162996: Should not use pam_nologin
On Wed, Sep 03, 2003 at 02:35:34AM +0100, Colin Watson wrote:
> On Tue, Oct 01, 2002 at 10:25:29AM -0400, Matt Zimmerman wrote:
> > Package: ssh
> > Version: 1:3.4p1-2
> > Severity: normal
> >
> > sshd already supports /etc/nologin in a much more useful way, by displaying
> > its contents to the user, rather than just rejecting the authentication
> > attempt.
>
> As I read pam_nologin's source code, it displays the contents of
> /etc/nologin to the user, or at least is intended to. It seems like six
> of one and half a dozen of the other whether we use PAM or ssh's inbuilt
> support ...?
pam_nologin may try to do this, but I don't think that its stdout is
displayed to the user at the time that ssh calls it.
With pam_nologin enabled:
$ ssh localhost
[noticeable delay as PAM denies me]
foo@localhost's password: [correct password]
Permission denied, please try again.
foo@localhost's password:
With pam_nologin commented out:
$ ssh localhost
[no delay]
mdz@localhost's password: [correct password]
[motd]
You have mail.
Last login: Tue Sep 2 19:23:17 2003 from :0.0
test test test [contents of /etc/nologin]
Connection to localhost closed.
So I think the situation is the same as when I originally reported this bug.
--
- mdz
Reply to: