Bug#162996: Should not use pam_nologin

[Matt Zimmerman <mdz@debian.org>]

On Wed, Sep 03, 2003 at 02:35:34AM +0100, Colin Watson wrote:

> On Tue, Oct 01, 2002 at 10:25:29AM -0400, Matt Zimmerman wrote:
> > Package: ssh
> > Version: 1:3.4p1-2
> > Severity: normal
> > 
> > sshd already supports /etc/nologin in a much more useful way, by displaying
> > its contents to the user, rather than just rejecting the authentication
> > attempt.
> 
> As I read pam_nologin's source code, it displays the contents of
> /etc/nologin to the user, or at least is intended to. It seems like six
> of one and half a dozen of the other whether we use PAM or ssh's inbuilt
> support ...?

pam_nologin may try to do this, but I don't think that its stdout is
displayed to the user at the time that ssh calls it.

With pam_nologin enabled:

$ ssh localhost
[noticeable delay as PAM denies me]
foo@localhost's password: [correct password]
Permission denied, please try again.
foo@localhost's password: 

With pam_nologin commented out:

$ ssh localhost
[no delay]
mdz@localhost's password: [correct password]
[motd]
You have mail.
Last login: Tue Sep  2 19:23:17 2003 from :0.0
test test test [contents of /etc/nologin]
Connection to localhost closed.

So I think the situation is the same as when I originally reported this bug.

-- 
 - mdz