I try to reproduce the bug on sid, and it's not present. xxxx@yyyyy:~$ ssh xxx.yyy.z.xxx xxxx@xxx.yyy.z.xx's password: qwert Connection closed by xxx.yyy.z.xx xxxx@yyyyy:~$ ssh xxx.yyy.z.xx Enter passphrase for key '/home/xxxx/.ssh/id_rsa': qwert Connection closed by xxx.yyy.z.xx xxxx@yyyyy:~$ ssh -o 'PubkeyAuthentication no' xxx.yyy.z.xx xxxx@xxx.yyy.z.xx's password: qwert Connection closed by xxx.yyy.z.xx On Mon, 2007-10-22 at 12:44 +0200, Axel Beckert wrote: > Package: openssh-server > Version: 1:4.3p2-9 > Severity: important > > On Etch, I can login on a machine with /etc/nologin existing if I use > ssh keys. On Sarge I get the message from /etc/nologin and the > connection is closed immediately which means that I can not login as > expected. > > If I try to login using password, I can't login, but the behaviour is > someway strange: 3x message from /etc/nologin and 6x password prompt > although /etc/login is set and recognized. OTOH it is the same way of > strange on Sarge, too. > > Main problem (and subject of this bug report) is that you still can > login with ssh keys if /etc/nologin is present: > > Notes about the examples: snitch and krum are Etch amd64 hosts, aragog > is an Etch i386 host, malfoy is Sarge i386. krum, aragog and malfoy > have a /etc/nologin. By default I have keys loaded into ssh-agent for > logging in on malfoy and krum. "-o 'PubkeyAuthentication no'" disables > this.) > > --- Begin: Correctly working ssh key login on a Sarge machine --- > !85 Z95 ?0 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:29 [~] > ssh root@malfoy > Last login: Mon Oct 22 10:28:55 2007 from snitch.ethz.ch > Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux > > [/etc/motd] > > malfoy:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin > malfoy:~# logout > Connection to malfoy closed. > !86 Z96 ?0 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:51 [~] > ssh malfoy > Last login: Mon Oct 22 10:41:08 2007 from snitch.ethz.ch > Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux > > [/etc/motd] > > Zu Testzwecken (RT#17192) deaktiviert. --Axel > Connection to malfoy closed. > !87 Z97 ?254 L1 abe@snitch:pts/2 (zsh 4.3.2) 10:54:55 [~] > ssh -o 'PubkeyAuthentication no' malfoy > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > abe@malfoy's password: > Permission denied, please try again. > abe@malfoy's password: > Permission denied, please try again. > abe@malfoy's password: > Permission denied (publickey,password,keyboard-interactive). > !7 Z7 ?255 L1 abe@snitch:pts/21 (zsh 4.3.2) 11:02:06 [~] > > --- End: Correctly working ssh key login on a Sarge machine --- > > --- Begin: Not correctly working ssh key login on a Etch machine --- > !35 Z40 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:57:01 [~] > ssh root@krum > Last login: Mon Oct 22 10:27:53 2007 from snitch.ethz.ch > > [/etc/motd] > > krum:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin > krum:~# logout > Connection to krum closed. > !35 Z41 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:57:42 [~] > ssh krum > Last login: Mon Oct 22 10:46:36 2007 from snitch.ethz.ch > > [/etc/motd] > > !1 Z1 ?0 L1 abe@krum:pts/8 (-zsh 4.3.2) 10:57:46 [~] > logout > Connection to krum closed. > !36 Z42 ?0 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:58:07 [~] > ssh -o 'PubkeyAuthentication no' krum > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > Zu Testzwecken (RT#17192) deaktiviert. --Axel > > Password: > abe@krum's password: > Permission denied, please try again. > abe@krum's password: > Permission denied, please try again. > abe@krum's password: > Permission denied (publickey,password,keyboard-interactive). > !38 Z44 ?255 L1 abe@snitch:pts/18 (zsh 4.3.2) 10:59:21 [~] > > --- End: Not correctly working ssh key login on a Etch machine --- > > Doing ssh logins on Etch i386 machine "aragog" shows exactly the same > behaviour as on krum. > > I've diffed /etc/ssh/sshd_config and /etc/pam.d/ssh and they're > identical on malfoy and krum (krum and aragog should be identical, > too, since both sshd_config files are deployed from the same > dphys-config repository. /etc/pam.d/ssh seems to be a Debian default > file): > > --- Begin /etc/ssh/sshd_config --- > # this file is installed by dphys-config > > Port 22 > Protocol 2 > HostKey /etc/ssh/ssh_host_key > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > ServerKeyBits 768 > LoginGraceTime 600 > KeyRegenerationInterval 3600 > PermitRootLogin yes > IgnoreRhosts yes > StrictModes yes > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd yes > PrintLastLog yes > KeepAlive yes > SyslogFacility AUTH > LogLevel INFO > UsePAM yes > # RhostsAuthentication no > RhostsRSAAuthentication no > HostbasedAuthentication no > RSAAuthentication yes > PasswordAuthentication yes > PermitEmptyPasswords no > Subsystem sftp /usr/lib/sftp-server > --- End /etc/ssh/sshd_config --- > > --- Begin /etc/pam.d/ssh --- > #%PAM-1.0 > auth required pam_nologin.so > auth sufficient pam_unix.so > auth required pam_ldap.so try_first_pass > auth required pam_env.so # [1] > > account sufficient pam_unix.so > account required pam_ldap.so > > session sufficient pam_unix.so > session required pam_ldap.so > session optional pam_lastlog.so # [1] > session optional pam_motd.so # [1] > session optional pam_mail.so standard noenv # [1] > session required pam_limits.so > > password sufficient pam_unix.so > password required pam_ldap.so > > # Alternate strength checking for password. Note that this > # requires the libpam-cracklib package to be installed. > # You will need to comment out the password line above and > # uncomment the next two in order to use this. > # > # password required pam_cracklib.so retry=3 minlen=6 difok=3 > # password required pam_unix.so use_authtok nullok md5 > --- End /etc/pam.d/ssh --- > > Since those two files are identical and only the ssh key login is > affected, I assume the bug is somewhere in the OpenSSH sshd. > > -- System Information: > Debian Release: 4.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.23-amd64-1 > Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) > > Versions of packages openssh-server depends on: > ii adduser 3.102 Add and remove users and groups > ii debconf 1.5.11 Debian configuration management sy > ii dpkg 1.13.25 package maintenance system for Deb > ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries > ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library > ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries > ii libpam-m 0.79-4 Pluggable Authentication Modules f > ii libpam-r 0.79-4 Runtime support for the PAM librar > ii libpam0g 0.79-4 Pluggable Authentication Modules l > ii libselin 1.32-3 SELinux shared libraries > ii libssl0. 0.9.8c-4etch1 SSL shared libraries > ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra > ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh > ii zlib1g 1:1.2.3-13 compression library - runtime > > openssh-server recommends no packages. > > -- debconf information: > ssh/new_config: true > * ssh/use_old_init_script: true > ssh/disable_cr_auth: false > ssh/encrypted_host_key_but_no_keygen: > > -- System Information: > Debian Release: 4.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.23-1-dphys-p3-1gb > Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) > > Versions of packages openssh-server depends on: > ii adduser 3.102 Add and remove users and groups > ii debconf 1.5.11 Debian configuration management sy > ii dpkg 1.13.25 package maintenance system for Deb > ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries > ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library > ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries > ii libpam-m 0.79-4 Pluggable Authentication Modules f > ii libpam-r 0.79-4 Runtime support for the PAM librar > ii libpam0g 0.79-4 Pluggable Authentication Modules l > ii libselin 1.32-3 SELinux shared libraries > ii libssl0. 0.9.8c-4etch1 SSL shared libraries > ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra > ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh > ii zlib1g 1:1.2.3-13 compression library - runtime > > openssh-server recommends no packages. > > -- debconf information: > ssh/new_config: true > * ssh/use_old_init_script: true > ssh/encrypted_host_key_but_no_keygen: > ssh/disable_cr_auth: false > > > -- aka nxvl key fingerprint: E140 4CC7 5E3C B6B4 DCA7 F6FD D22E 2FB4 A9BA 6877 gpg --keyserver keyserver.ubuntu.com --recv-keys A9BA6877 Yo uso Software Libre y tu?
Attachment:
signature.asc
Description: This is a digitally signed message part