bin/112574: sshd(8) ignores nologin(5) if using PAM and public key

[Yar Tikhiy]

The following reply was made to PR bin/112574; it has been noted by GNATS.

From: Yar Tikhiy <yar at comp.chem.msu.su>
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key
Date: Fri, 11 May 2007 18:00:38 +0400

 FWIW, pam_nologin(8) can provide _both_ authentication and account
 management using the same check function.  By doing so it can satisfy
 all cases.  I.e., PAM authentication consumers will fail as soon
 as possible, like they do now, while sshd(8), cron(8), and atrun(8)
 [1], which do not use PAM authentication, will be able to check for
 nologin(5) at the PAM account management stage.
 
 [1] I have plans for PAM-ifying cron(8) and atrun(8) so that they
 can skip jobs by locked or expired accounts in a consistent way.
 Not running user jobs when nologin(5) exists is quite reasonable.
 
 -- 
 Yar