Bug#447581: openssh-server: sshd ignores /etc/nologin when logging in with keys
Package: openssh-server
Version: 1:4.3p2-9
Severity: important
On Etch, I can login on a machine with /etc/nologin existing if I use
ssh keys. On Sarge I get the message from /etc/nologin and the
connection is closed immediately which means that I can not login as
expected.
If I try to login using password, I can't login, but the behaviour is
someway strange: 3x message from /etc/nologin and 6x password prompt
although /etc/login is set and recognized. OTOH it is the same way of
strange on Sarge, too.
Main problem (and subject of this bug report) is that you still can
login with ssh keys if /etc/nologin is present:
Notes about the examples: snitch and krum are Etch amd64 hosts, aragog
is an Etch i386 host, malfoy is Sarge i386. krum, aragog and malfoy
have a /etc/nologin. By default I have keys loaded into ssh-agent for
logging in on malfoy and krum. "-o 'PubkeyAuthentication no'" disables
this.)
--- Begin: Correctly working ssh key login on a Sarge machine ---
!85 Z95 ?0 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:29 [~] > ssh root@malfoy
Last login: Mon Oct 22 10:28:55 2007 from snitch.ethz.ch
Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux
[/etc/motd]
malfoy:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin
malfoy:~# logout
Connection to malfoy closed.
!86 Z96 ?0 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:51 [~] > ssh malfoy
Last login: Mon Oct 22 10:41:08 2007 from snitch.ethz.ch
Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux
[/etc/motd]
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Connection to malfoy closed.
!87 Z97 ?254 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:55 [~] > ssh -o 'PubkeyAuthentication no' malfoy
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
abe@malfoy's password:
Permission denied, please try again.
abe@malfoy's password:
Permission denied, please try again.
abe@malfoy's password:
Permission denied (publickey,password,keyboard-interactive).
!7 Z7 ?255 L1 abe@snitch:pts/21 (zsh 4.3.2) 11:02:06 [~] >
--- End: Correctly working ssh key login on a Sarge machine ---
--- Begin: Not correctly working ssh key login on a Etch machine ---
!35 Z40 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:57:01 [~] > ssh root@krum
Last login: Mon Oct 22 10:27:53 2007 from snitch.ethz.ch
[/etc/motd]
krum:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin
krum:~# logout
Connection to krum closed.
!35 Z41 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:57:42 [~] > ssh krum
Last login: Mon Oct 22 10:46:36 2007 from snitch.ethz.ch
[/etc/motd]
!1 Z1 ?0 L1 abe@krum:pts/8 (-zsh 4.3.2) 10:57:46 [~] > logout
Connection to krum closed.
!36 Z42 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:58:07 [~] > ssh -o 'PubkeyAuthentication no' krum
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
Zu Testzwecken (RT#17192) deaktiviert. --Axel
Password:
abe@krum's password:
Permission denied, please try again.
abe@krum's password:
Permission denied, please try again.
abe@krum's password:
Permission denied (publickey,password,keyboard-interactive).
!38 Z44 ?255 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:59:21 [~] >
--- End: Not correctly working ssh key login on a Etch machine ---
Doing ssh logins on Etch i386 machine "aragog" shows exactly the same
behaviour as on krum.
I've diffed /etc/ssh/sshd_config and /etc/pam.d/ssh and they're
identical on malfoy and krum (krum and aragog should be identical,
too, since both sshd_config files are deployed from the same
dphys-config repository. /etc/pam.d/ssh seems to be a Debian default
file):
--- Begin /etc/ssh/sshd_config ---
# this file is installed by dphys-config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
UsePAM yes
# RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
Subsystem sftp /usr/lib/sftp-server
--- End /etc/ssh/sshd_config ---
--- Begin /etc/pam.d/ssh ---
#%PAM-1.0
auth required pam_nologin.so
auth sufficient pam_unix.so
auth required pam_ldap.so try_first_pass
auth required pam_env.so # [1]
account sufficient pam_unix.so
account required pam_ldap.so
session sufficient pam_unix.so
session required pam_ldap.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password sufficient pam_unix.so
password required pam_ldap.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
--- End /etc/pam.d/ssh ---
Since those two files are identical and only the ssh key login is
affected, I assume the bug is somewhere in the OpenSSH sshd.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23-amd64-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages openssh-server depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf 1.5.11 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 1.32-3 SELinux shared libraries
ii libssl0. 0.9.8c-4etch1 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23-1-dphys-p3-1gb
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages openssh-server depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf 1.5.11 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication Modules f
ii libpam-r 0.79-4 Runtime support for the PAM librar
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselin 1.32-3 SELinux shared libraries
ii libssl0. 0.9.8c-4etch1 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Reply to: