From owner-freebsd-bugs@FreeBSD.ORG Thu May 10 14:30:10 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7E3B416A402 for ; Thu, 10 May 2007 14:30:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4A49213C45E for ; Thu, 10 May 2007 14:30:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4AEU9q3001560 for ; Thu, 10 May 2007 14:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4AEU99o001559; Thu, 10 May 2007 14:30:09 GMT (envelope-from gnats) Resent-Date: Thu, 10 May 2007 14:30:09 GMT Resent-Message-Id: <200705101430.l4AEU99o001559@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Yar Tikhiy Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A235116A400; Thu, 10 May 2007 14:20:31 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from jujik.ramtel.ru (jujik.ramtel.ru [81.19.64.112]) by mx1.freebsd.org (Postfix) with ESMTP id 2B72713C46C; Thu, 10 May 2007 14:20:30 +0000 (UTC) (envelope-from yar@comp.chem.msu.su) Received: from jujik.ramtel.ru (localhost [127.0.0.1]) by jujik.ramtel.ru (8.14.1/8.13.8) with ESMTP id l4ADjVOh062086; Thu, 10 May 2007 17:45:31 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by jujik.ramtel.ru (8.14.1/8.13.8/Submit) id l4ADjV8v062085; Thu, 10 May 2007 17:45:31 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Message-Id: <200705101345.l4ADjV8v062085@jujik.ramtel.ru> Date: Thu, 10 May 2007 17:45:31 +0400 (MSD) From: Yar Tikhiy To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: des@FreeBSD.org Subject: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 May 2007 14:30:10 -0000 >Number: 112574 >Category: bin >Synopsis: sshd(8) ignores nologin(5) if using PAM and public key >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 10 14:30:04 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Yar Tikhiy >Release: FreeBSD 7.0-CURRENT i386 >Organization: none >Environment: System: FreeBSD jujik.ramtel.ru 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sun Apr 22 15:52:48 MSD 2007 root@jujik.ramtel.ru:/usr/src/sys/i386/compile/JTEST i386 >Description: If sshd(8) uses PAM, which is default, nologin(5) has no effect for sessions using public key authentication. My analysis: Currently, pam_nologin(8) provides its service via pam_sm_authenticate() and the PAM authentication stack. But sshd(8) doesn't seem to invoke PAM authentication stack if the session uses public key authentication, it handles that kind of authentication internally, so pam_nologin(8) has no chance to do its job in that case. >How-To-Repeat: Create /var/run/nologin and try to log into the system with public key authentication as a non-root user. See successful login. >Fix: Arguably, pam_nologin(8) should do account management, not authentication. It's more logical and it should work for sshd(8), as the latter calls PAM account management stack irrespective of authentication method used earlier in the session. >Release-Note: >Audit-Trail: >Unformatted: