Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#19213 - [openssh] sshd ignores /etc/nologin, when loging with key
Attached to Project:
Arch Linux
Opened by niekt0 (niekt0) - Thursday, 22 April 2010, 11:22 GMT
Last edited by Guillaume ALAUX (galaux) - Monday, 17 January 2011, 20:42 GMT
Opened by niekt0 (niekt0) - Thursday, 22 April 2010, 11:22 GMT
Last edited by Guillaume ALAUX (galaux) - Monday, 17 January 2011, 20:42 GMT
|
DetailsDescription:
/etc/nologin is honored by sshd only for password login. If ssh key is used, /etc/nologin is ignored. Seems to be same bug as debian-ssh@lists.debian.org/msg03455.html"> http://www.mail-archive.com/debian-ssh@lists.debian.org/msg03455.html * package version(s) Tested on 5.4p1-4, probably works on other version too. Steps to reproduce: 1. Create /etc/nologin 2. Users will be unable to login using password, but will login using ssh key. |
This task depends upon
Closed by Guillaume ALAUX (galaux)
Monday, 17 January 2011, 20:42 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 5.6p1-2
Monday, 17 January 2011, 20:42 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 5.6p1-2
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7007116&sliceId=1&docTypeID=DT_TID_1_1
man pam_nologin
Excerpt from Novell's page linked above:
"The default PAM setup allowing SSH login via public key authentication despite the presence of /etc/nologin avoids accidently locking out remote monitoring scripts or (non-root) administrative staff when just regular users, which in most modern installations log in via a remote X11 server or VNC anyway, aren't supposed to log in.".
I would suggest modifying /etc/pam.d/sshd:
-auth required pam_nologin.so
+account required pam_nologin.so
Tested and works as expected. No-one but root can login when /etc/nologin exists.