On 03/14/12 22:04, "AndrC) S." wrote:
> After some more testing I dare to say that this whole /etc/nologin-thing
> in conjunction with ssh can be considered buggy.
>
> Some users get the contents printed before their session is
> disconnected, some users don't. To be honest, I don't really care
> anymore if users get disconnected immediately or get a message before
> that, what really shouldn't happen is that the root user gets locked
> out, too.
>
>
> client$ ssh root@server
> server# echo "NO LOGIN"> /etc/nologin&& exit
> Connection to server closed.
>
> client$ ssh root@server
> NO LOGIN
> Connection to server closed.
>
>
> Could anybody verify that, please?
>
> Regards
> AndrC)
>
Indeed, it seems v. 1.251 of session.c got it wrong.
Can you see if this helps?
/Alexander
Index: session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.259
diff -u -p -r1.259 session.c
--- session.c 24 Oct 2011 02:13:13 -0000 1.259
+++ session.c 14 Mar 2012 22:21:57 -0000
@@ -1108,7 +1108,7 @@ do_nologin(struct passwd *pw)
char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
struct stat sb;
- if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
+ if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
return;
nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
