Re: Confounded by PAM and OpenSSH on Solaris 10

On 2006-05-02, elroy.deng@xxxxxxxxx <elroy.deng@xxxxxxxxx> wrote:
user1 reports expired and returns PAM_ACCT_EXPIRED. I am not kicked
out.
[...]
If you look at the sshd debug you will see that my pam module returns
"debug3: PAM: do_pam_account pam_acct_mgmt = 17 (User account has
expired)" however the user is prompted again for a password. I looked
at the code and found that do_pam_account() is called from
sshpam_thread(void *ctxtp). There seems to be no code that kicks the
user out after a bad attempt it just goes through the attempts cycle. I
assume sshd checks the thread's return code this is how it knows
whether or not the authentication was successful so it should be able
to kick the user out.

Fair enough. kbdint returns a failure but doesn't stop the user from
trying again.

I've opened a bug with a patch:
http://bugzilla.mindrot.org/show_bug.cgi?id=1188

Please try the patch and let me know if it solves you problem.

If you look at auth2.c in userauth_finish() the code checks for
errors...
[...]
Here there is a fatal statement saying that access is denied, which I
assume kicks you out.

Yes, but you only get there if the authentication is successful which
won't happen in the keyboard-interactive configuration you have.

[...]
Password:
User account has expired!

user1@localhost's password:
User account has expired!

Are you sure about this one? If PasswordAuthentication is set to no, it
won't even be offered to the client.

I wonder if "UsePrivilegeSeparation yes" had anything to do with it?

It shouldn't. Can you repeat this one? Is it possible you changed
sshd_config but didn't restart sshd?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

Relevant Pages