Package: openssh-server Version: 1:4.3p2-9 Severity: important On Etch, I can login on a machine with /etc/nologin existing if I use ssh keys. On Sarge I get the message from /etc/nologin and the connection is closed immediately which means that I can not login as expected.
If I try to login using password, I can't login, but the behaviour is someway strange: 3x message from /etc/nologin and 6x password prompt although /etc/login is set and recognized. OTOH it is the same way of strange on Sarge, too. Main problem (and subject of this bug report) is that you still can login with ssh keys if /etc/nologin is present: Notes about the examples: snitch and krum are Etch amd64 hosts, aragog is an Etch i386 host, malfoy is Sarge i386. krum, aragog and malfoy have a /etc/nologin. By default I have keys loaded into ssh-agent for logging in on malfoy and krum. "-o 'PubkeyAuthentication no'" disables this.) --- Begin: Correctly working ssh key login on a Sarge machine --- !85 Z95 ?0 L1 [EMAIL PROTECTED]:pts/2 (zsh 4.3.2) 10:54:29 [~] > ssh [EMAIL PROTECTED] Last login: Mon Oct 22 10:28:55 2007 from snitch.ethz.ch Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux [/etc/motd] malfoy:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin malfoy:~# logout Connection to malfoy closed. !86 Z96 ?0 L1 [EMAIL PROTECTED]:pts/2 (zsh 4.3.2) 10:54:51 [~] > ssh malfoy Last login: Mon Oct 22 10:41:08 2007 from snitch.ethz.ch Linux malfoy 2.4.33.2-1-dphys-p3-1gb #1 Mon Aug 28 16:34:11 CEST 2006 i686 GNU/Linux [/etc/motd] Zu Testzwecken (RT#17192) deaktiviert. --Axel Connection to malfoy closed. !87 Z97 ?254 L1 [EMAIL PROTECTED]:pts/2 (zsh 4.3.2) 10:54:55 [~] > ssh -o 'PubkeyAuthentication no' malfoy Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). !7 Z7 ?255 L1 [EMAIL PROTECTED]:pts/21 (zsh 4.3.2) 11:02:06 [~] > --- End: Correctly working ssh key login on a Sarge machine --- --- Begin: Not correctly working ssh key login on a Etch machine --- !35 Z40 ?0 L1 [EMAIL PROTECTED]:pts/18 (zsh 4.3.2) 10:57:01 [~] > ssh [EMAIL PROTECTED] Last login: Mon Oct 22 10:27:53 2007 from snitch.ethz.ch [/etc/motd] krum:~# echo "Zu Testzwecken (RT#17192) deaktiviert. --Axel" > /etc/nologin krum:~# logout Connection to krum closed. !35 Z41 ?0 L1 [EMAIL PROTECTED]:pts/18 (zsh 4.3.2) 10:57:42 [~] > ssh krum Last login: Mon Oct 22 10:46:36 2007 from snitch.ethz.ch [/etc/motd] !1 Z1 ?0 L1 [EMAIL PROTECTED]:pts/8 (-zsh 4.3.2) 10:57:46 [~] > logout Connection to krum closed. !36 Z42 ?0 L1 [EMAIL PROTECTED]:pts/18 (zsh 4.3.2) 10:58:07 [~] > ssh -o 'PubkeyAuthentication no' krum Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: Zu Testzwecken (RT#17192) deaktiviert. --Axel Password: [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). !38 Z44 ?255 L1 [EMAIL PROTECTED]:pts/18 (zsh 4.3.2) 10:59:21 [~] > --- End: Not correctly working ssh key login on a Etch machine --- Doing ssh logins on Etch i386 machine "aragog" shows exactly the same behaviour as on krum. I've diffed /etc/ssh/sshd_config and /etc/pam.d/ssh and they're identical on malfoy and krum (krum and aragog should be identical, too, since both sshd_config files are deployed from the same dphys-config repository. /etc/pam.d/ssh seems to be a Debian default file): --- Begin /etc/ssh/sshd_config --- # this file is installed by dphys-config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes IgnoreRhosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes PrintLastLog yes KeepAlive yes SyslogFacility AUTH LogLevel INFO UsePAM yes # RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no Subsystem sftp /usr/lib/sftp-server --- End /etc/ssh/sshd_config --- --- Begin /etc/pam.d/ssh --- #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_unix.so auth required pam_ldap.so try_first_pass auth required pam_env.so # [1] account sufficient pam_unix.so account required pam_ldap.so session sufficient pam_unix.so session required pam_ldap.so session optional pam_lastlog.so # [1] session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password sufficient pam_unix.so password required pam_ldap.so # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5 --- End /etc/pam.d/ssh --- Since those two files are identical and only the ssh key login is affected, I assume the bug is somewhere in the OpenSSH sshd. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.23-amd64-1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssh-server depends on: ii adduser 3.102 Add and remove users and groups ii debconf 1.5.11 Debian configuration management sy ii dpkg 1.13.25 package maintenance system for Deb ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries ii libpam-m 0.79-4 Pluggable Authentication Modules f ii libpam-r 0.79-4 Runtime support for the PAM librar ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libselin 1.32-3 SELinux shared libraries ii libssl0. 0.9.8c-4etch1 SSL shared libraries ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/new_config: true * ssh/use_old_init_script: true ssh/disable_cr_auth: false ssh/encrypted_host_key_but_no_keygen: -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.23-1-dphys-p3-1gb Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssh-server depends on: ii adduser 3.102 Add and remove users and groups ii debconf 1.5.11 Debian configuration management sy ii dpkg 1.13.25 package maintenance system for Deb ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library ii libkrb53 1.4.4-7etch4 MIT Kerberos runtime libraries ii libpam-m 0.79-4 Pluggable Authentication Modules f ii libpam-r 0.79-4 Runtime support for the PAM librar ii libpam0g 0.79-4 Pluggable Authentication Modules l ii libselin 1.32-3 SELinux shared libraries ii libssl0. 0.9.8c-4etch1 SSL shared libraries ii libwrap0 7.6.dbs-13 Wietse Venema's TCP wrappers libra ii openssh- 1:4.3p2-9 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]