bin/112574: sshd(8) ignores nologin(5) if using PAM and public key
Yar Tikhiy
yar at FreeBSD.org
Thu May 10 14:30:10 UTC 2007
>Number: 112574
>Category: bin
>Synopsis: sshd(8) ignores nologin(5) if using PAM and public key
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu May 10 14:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Yar Tikhiy
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD jujik.ramtel.ru 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sun Apr 22 15:52:48 MSD 2007 root at jujik.ramtel.ru:/usr/src/sys/i386/compile/JTEST i386
>Description:
If sshd(8) uses PAM, which is default, nologin(5) has no
effect for sessions using public key authentication.
My analysis:
Currently, pam_nologin(8) provides its service via
pam_sm_authenticate() and the PAM authentication stack.
But sshd(8) doesn't seem to invoke PAM authentication stack
if the session uses public key authentication, it handles
that kind of authentication internally, so pam_nologin(8)
has no chance to do its job in that case.
>How-To-Repeat:
Create /var/run/nologin and try to log into the system with
public key authentication as a non-root user. See successful
login.
>Fix:
Arguably, pam_nologin(8) should do account management, not
authentication. It's more logical and it should work for
sshd(8), as the latter calls PAM account management stack
irrespective of authentication method used earlier in the
session.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list