bin/112574: sshd(8) ignores nologin(5) if using PAM and public key

[Yar Tikhiy]

>Number:         112574
>Category:       bin
>Synopsis:       sshd(8) ignores nologin(5) if using PAM and public key
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 10 14:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Yar Tikhiy
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD jujik.ramtel.ru 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sun Apr 22 15:52:48 MSD 2007 root at jujik.ramtel.ru:/usr/src/sys/i386/compile/JTEST i386

>Description:
	If sshd(8) uses PAM, which is default, nologin(5) has no
	effect for sessions using public key authentication.

	My analysis:

	Currently, pam_nologin(8) provides its service via
	pam_sm_authenticate() and the PAM authentication stack.
	But sshd(8) doesn't seem to invoke PAM authentication stack
	if the session uses public key authentication, it handles
	that kind of authentication internally, so pam_nologin(8)
	has no chance to do its job in that case.

>How-To-Repeat:
	Create /var/run/nologin and try to log into the system with
	public key authentication as a non-root user.  See successful
	login.

>Fix:
	Arguably, pam_nologin(8) should do account management, not
	authentication.  It's more logical and it should work for
	sshd(8), as the latter calls PAM account management stack
	irrespective of authentication method used earlier in the
	session.
>Release-Note:
>Audit-Trail:
>Unformatted: