From yar@comp.chem.msu.su  Thu May 10 14:20:31 2007
Return-Path: <yar@comp.chem.msu.su>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A235116A400;
	Thu, 10 May 2007 14:20:31 +0000 (UTC)
	(envelope-from yar@comp.chem.msu.su)
Received: from jujik.ramtel.ru (jujik.ramtel.ru [81.19.64.112])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B72713C46C;
	Thu, 10 May 2007 14:20:30 +0000 (UTC)
	(envelope-from yar@comp.chem.msu.su)
Received: from jujik.ramtel.ru (localhost [127.0.0.1])
	by jujik.ramtel.ru (8.14.1/8.13.8) with ESMTP id l4ADjVOh062086;
	Thu, 10 May 2007 17:45:31 +0400 (MSD)
	(envelope-from yar@comp.chem.msu.su)
Received: (from yar@localhost)
	by jujik.ramtel.ru (8.14.1/8.13.8/Submit) id l4ADjV8v062085;
	Thu, 10 May 2007 17:45:31 +0400 (MSD)
	(envelope-from yar@comp.chem.msu.su)
Message-Id: <200705101345.l4ADjV8v062085@jujik.ramtel.ru>
Date: Thu, 10 May 2007 17:45:31 +0400 (MSD)
From: Yar Tikhiy <yar@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: des@freebsd.org
Subject: sshd(8) ignores nologin(5) if using PAM and public key
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         112574
>Category:       bin
>Synopsis:       sshd(8) ignores nologin(5) if using PAM and public key
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    yar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 10 14:30:04 GMT 2007
>Closed-Date:    Fri Aug 17 11:30:33 GMT 2007
>Last-Modified:  Fri Aug 17 11:40:01 GMT 2007
>Originator:     Yar Tikhiy
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
none
>Environment:
System: FreeBSD jujik.ramtel.ru 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sun Apr 22 15:52:48 MSD 2007 root@jujik.ramtel.ru:/usr/src/sys/i386/compile/JTEST i386

>Description:
	If sshd(8) uses PAM, which is default, nologin(5) has no
	effect for sessions using public key authentication.

	My analysis:

	Currently, pam_nologin(8) provides its service via
	pam_sm_authenticate() and the PAM authentication stack.
	But sshd(8) doesn't seem to invoke PAM authentication stack
	if the session uses public key authentication, it handles
	that kind of authentication internally, so pam_nologin(8)
	has no chance to do its job in that case.

>How-To-Repeat:
	Create /var/run/nologin and try to log into the system with
	public key authentication as a non-root user.  See successful
	login.

>Fix:
	Arguably, pam_nologin(8) should do account management, not
	authentication.  It's more logical and it should work for
	sshd(8), as the latter calls PAM account management stack
	irrespective of authentication method used earlier in the
	session.
>Release-Note:
>Audit-Trail:

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key
Date: Fri, 11 May 2007 18:00:38 +0400

 FWIW, pam_nologin(8) can provide _both_ authentication and account
 management using the same check function.  By doing so it can satisfy
 all cases.  I.e., PAM authentication consumers will fail as soon
 as possible, like they do now, while sshd(8), cron(8), and atrun(8)
 [1], which do not use PAM authentication, will be able to check for
 nologin(5) at the PAM account management stage.
 
 [1] I have plans for PAM-ifying cron(8) and atrun(8) so that they
 can skip jobs by locked or expired accounts in a consistent way.
 Not running user jobs when nologin(5) exists is quite reasonable.
 
 -- 
 Yar

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: des@freebsd.org
Cc: bug-followup@freebsd.org
Subject: Re: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key
Date: Tue, 5 Jun 2007 14:03:08 +0400

 Hi Dag-Erling,
 
 What do you think about the following patch for pam_nologin?
 
 It addresses two problems described in PR bin/107612 and PR bin/112574.
 First, it adds full support for login.conf(5) so that "nologin" and
 "ignorenologin" capabilities are respected for the current user.
 Second, it adds an account management function identical to the
 authentication one so that pam_nologin can always work for sshd.
 Besides, it adds more error checking to pam_nologin.
 
 By adding account management function to pam_nologin, it also opens
 pam_nologin for use in services that do implicit authentication,
 such as cron and atrun.
 
 Thanks!
 
 -- 
 Yar
 
 --- //depot/vendor/freebsd/src/lib/libpam/modules/pam_nologin/pam_nologin.8	2001/08/26 18:40:31
 +++ //depot/user/yar/hack/lib/libpam/modules/pam_nologin/pam_nologin.8	2007/05/23 10:30:24
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.8,v 1.5 2001/08/26 18:05:35 markm Exp $
  .\"
 -.Dd July 8, 2001
 +.Dd May 23, 2007
  .Dt PAM_NOLOGIN 8
  .Os
  .Sh NAME
 @@ -39,34 +39,37 @@
  .Sh DESCRIPTION
  The NoLogin authentication service module for PAM,
  .Nm
 -provides functionality for only one PAM category:
 -authentication.
 +provides the same functionality for two PAM categories:
 +authentication and account management.
  In terms of the
  .Ar module-type
 -parameter, this is the
 +parameter, those are the
  .Dq Li auth
 -feature.
 +and
 +.Dq Li account
 +features.
  It also provides a null function for session management.
  .Ss NoLogin Authentication Module
 -The NoLogin authentication component
 -.Pq Fn pam_sm_authenticate ,
 -always returns success for the superuser,
 -and returns success for all other users
 -if the file
 -.Pa /var/run/nologin
 -does not exist.
 -If
 -.Pa /var/run/nologin
 -does exist,
 -then its contents are echoed
 -to non-superusers
 +The NoLogin authentication component,
 +.Fn pam_sm_authenticate ,
 +verifies whether logins are administratively disabled via
 +.Xr nologin 5 .
 +It returns success if the user's login class has an "ignorenologin"
 +capability specified in
 +.Xr login.conf 5
 +or the
 +.Xr nologin 5
 +file does not exist.
 +If neither condition is met,
 +then the contents of
 +.Xr nologin 5
 +are echoed
  before failure is returned.
 -If a "nologin" capability
 -is specified in
 +The location of
 +.Xr nologin 5
 +is specified by a "nologin" capability in
  .Xr login.conf 5 ,
 -then the file thus specified
 -is used instead.
 -This usually defaults to
 +which defaults to
  .Pa /var/run/nologin .
  .Pp
  The following options may be passed to the authentication module:
 @@ -82,6 +85,13 @@
  reasons why the user's
  authentication attempt was declined.
  .El
 +.Ss NoLogin Account Management Module
 +The NoLogin account management component,
 +.Fn pam_sm_acct_mgmt , 
 +returns the same value as the NoLogin authentication component
 +would return.
 +This component can be used to provide the NoLogin functionality
 +to services that skip PAM authentication.
  .Sh SEE ALSO
  .Xr syslog 3 ,
  .Xr login.conf 5 ,
 --- //depot/vendor/freebsd/src/lib/libpam/modules/pam_nologin/pam_nologin.c	2006/03/20 17:37:22
 +++ //depot/user/yar/hack/lib/libpam/modules/pam_nologin/pam_nologin.c	2007/05/23 10:28:55
 @@ -47,23 +47,24 @@
  #include <unistd.h>
  
  #define PAM_SM_AUTH
 +#define PAM_SM_ACCOUNT
  
  #include <security/pam_appl.h>
  #include <security/pam_modules.h>
  #include <security/pam_mod_misc.h>
  
 -#define	NOLOGIN	"/var/run/nologin"
 +#define	_PATH_NOLOGIN	"/var/run/nologin"
  
 -static char nologin_def[] = NOLOGIN;
 +static char nologin_def[] = _PATH_NOLOGIN;
  
 -PAM_EXTERN int
 -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 -    int argc __unused, const char *argv[] __unused)
 +static int
 +pam_nologin_check(pam_handle_t *pamh, int flags)
  {
  	login_cap_t *lc;
  	struct passwd *pwd;
  	struct stat st;
  	int retval, fd;
 +	ssize_t ss;
  	const char *user, *nologin;
  	char *mtmp;
  
 @@ -73,42 +74,70 @@
  
  	PAM_LOG("Got user: %s", user);
  
 -	lc = login_getclass(NULL);
 +	pwd = getpwnam(user);
 +	if (pwd == NULL)
 +		return (PAM_USER_UNKNOWN);
 +
 +	/*
 +	 * login_getpwclass(3) will select the "root" class by default
 +	 * if pwd->pw_uid is 0.  That class should have "ignorenologin"
 +	 * capability so that super-user can bypass nologin.
 +	 */
 +	lc = login_getpwclass(pwd);
 +	if (lc == NULL) {
 +		PAM_LOG("Unable to get login class for user %s", user);
 +		return (PAM_SERVICE_ERR);
 +	}
 +
 +	if (login_getcapbool(lc, "ignorenologin", 0)) {
 +		login_close(lc);
 +		return (PAM_SUCCESS);
 +	}
 +
  	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
 -	login_close(lc);
 -	lc = NULL;
  
  	fd = open(nologin, O_RDONLY, 0);
 -	if (fd < 0)
 +	if (fd < 0) {
 +		login_close(lc);
  		return (PAM_SUCCESS);
 +	}
  
 -	PAM_LOG("Opened %s file", NOLOGIN);
 +	PAM_LOG("Opened %s file", nologin);
  
 -	pwd = getpwnam(user);
 -	if (pwd && pwd->pw_uid == 0)
 -		retval = PAM_SUCCESS;
 -	else {
 -		if (!pwd)
 -			retval = PAM_USER_UNKNOWN;
 -		else
 -			retval = PAM_AUTH_ERR;
 +	if (fstat(fd, &st) == 0) {
 +		mtmp = malloc(st.st_size + 1);
 +		if (mtmp != NULL) {
 +			ss = read(fd, mtmp, st.st_size);
 +			if (ss > 0) {
 +				mtmp[ss] = '\0';
 +				pam_error(pamh, "%s", mtmp);
 +			}
 +			free(mtmp);
 +		}
  	}
  
 -	if (fstat(fd, &st) < 0)
 -		return (retval);
 +	PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
 +
 +	close(fd);
 +	login_close(lc);
 +
 +	return (PAM_AUTH_ERR);
 +}
 +
 +PAM_EXTERN int
 +pam_sm_authenticate(pam_handle_t *pamh, int flags,
 +    int argc __unused, const char *argv[] __unused)
 +{
  
 -	mtmp = malloc(st.st_size + 1);
 -	if (mtmp != NULL) {
 -		read(fd, mtmp, st.st_size);
 -		mtmp[st.st_size] = '\0';
 -		pam_error(pamh, "%s", mtmp);
 -		free(mtmp);
 -	}
 +	return (pam_nologin_check(pamh, flags));
 +}
  
 -	if (retval != PAM_SUCCESS)
 -		PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN);
 +PAM_EXTERN int
 +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 +    int argc __unused, const char *argv[] __unused)
 +{
  
 -	return (retval);
 +	return (pam_nologin_check(pamh, flags));
  }
  
  PAM_EXTERN int
 --- //depot/vendor/freebsd/src/etc/pam.d/sshd	2003/04/30 22:38:07
 +++ //depot/user/yar/hack/etc/pam.d/sshd	2007/05/23 10:35:59
 @@ -13,6 +13,7 @@
  auth		required	pam_unix.so		no_warn try_first_pass
  
  # account
 +account		required	pam_nologin.so
  #account 	required	pam_krb5.so
  account		required	pam_login_access.so
  account		required	pam_unix.so

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Yar Tikhiy <yar@comp.chem.msu.su>
Cc: bug-followup@freebsd.org
Subject: Re: bin/112574: sshd(8) ignores nologin(5) if using PAM and public key
Date: Tue, 05 Jun 2007 12:42:04 +0200

 Yar Tikhiy <yar@comp.chem.msu.su> writes:
 > Second, it adds an account management function identical to the
 > authentication one so that pam_nologin can always work for sshd.
 
 Strictly speaking, pam_nologin should implement pam_sm_acct_mgmt() and
 *not* implement pam_sm_authenticate().  However, doing so at this point
 would break existing configurations.  You may want to discuss the
 possibility of doing just that for 7.0 with re@.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112574: commit references a PR
Date: Sun, 10 Jun 2007 18:57:39 +0000 (UTC)

 yar         2007-06-10 18:57:20 UTC
 
   FreeBSD src repository
 
   Modified files:
     .                    UPDATING 
     sys/sys              param.h 
     etc/pam.d            ftpd gdm imap kde login other pop3 rsh 
                          sshd telnetd xdm 
     lib/libpam/modules/pam_nologin pam_nologin.8 pam_nologin.c 
   Log:
   Now pam_nologin(8) will provide an account management function
   instead of an authentication function.  There are a design reason
   and a practical reason for that.  First, the module belongs in
   account management because it checks availability of the account
   and does no authentication.  Second, there are existing and potential
   PAM consumers that skip PAM authentication for good or for bad.
   E.g., sshd(8) just prefers internal routines for public key auth;
   OTOH, cron(8) and atrun(8) do implicit authentication when running
   a job on behalf of its owner, so their inability to use PAM auth
   is fundamental, but they can benefit from PAM account management.
   
   Document this change in the manpage.
   
   Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
   under the "account" function class.
   
   Bump __FreeBSD_version (mostly for ports, as this change should be
   invisible to C code outside pam_nologin.)
   
   PR:             bin/112574
   Approved by:    des, re
   
   Revision  Changes    Path
   1.493     +18 -0     src/UPDATING
   1.19      +1 -1      src/etc/pam.d/ftpd
   1.8       +1 -1      src/etc/pam.d/gdm
   1.6       +3 -1      src/etc/pam.d/imap
   1.7       +1 -1      src/etc/pam.d/kde
   1.17      +1 -1      src/etc/pam.d/login
   1.11      +1 -1      src/etc/pam.d/other
   1.6       +3 -1      src/etc/pam.d/pop3
   1.6       +1 -1      src/etc/pam.d/rsh
   1.16      +1 -1      src/etc/pam.d/sshd
   1.8       +1 -1      src/etc/pam.d/telnetd
   1.11      +1 -1      src/etc/pam.d/xdm
   1.6       +10 -11    src/lib/libpam/modules/pam_nologin/pam_nologin.8
   1.12      +2 -10     src/lib/libpam/modules/pam_nologin/pam_nologin.c
   1.300     +1 -1      src/sys/sys/param.h
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: yar 
State-Changed-When: Sun Jun 10 19:33:29 UTC 2007 
State-Changed-Why:  
Fixed in HEAD. 


Responsible-Changed-From-To: freebsd-bugs->yar 
Responsible-Changed-By: yar 
Responsible-Changed-When: Sun Jun 10 19:33:29 UTC 2007 
Responsible-Changed-Why:  
MFC reminder. 

(The fix could be MFC'ed in a backward-compatible way.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112574 
State-Changed-From-To: patched->closed 
State-Changed-By: yar 
State-Changed-When: Fri Aug 17 11:29:38 UTC 2007 
State-Changed-Why:  
The issue has been addressed in CURRENT and 6-STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112574 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112574: commit references a PR
Date: Fri, 17 Aug 2007 11:31:05 +0000 (UTC)

 yar         2007-08-17 11:28:25 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     lib/libpam/modules/pam_nologin pam_nologin.8 pam_nologin.c 
     etc/pam.d            sshd 
   Log:
   MFC with compatibility shims:
   
   pam_nologin(8) starts to provide an account management function in
   addition to the existing authentication function so that sshd(8) can
   respect nologin(5) while the rest of PAM consumers work as earlier.
   In turn, sshd(8) starts to use the new account management function
   in pam_nologin(8) and thus respect nologin(5) even when doing public
   key authentication with sshd's internal routines (PAM authentication
   isn't called at all in that case).
   
   Based on:
   
     1.12      +2 -10     src/lib/libpam/modules/pam_nologin/pam_nologin.c
     1.6       +10 -11    src/lib/libpam/modules/pam_nologin/pam_nologin.8
     1.16      +1 -1      src/etc/pam.d/sshd
   
   Approved by:    des
   PR:             bin/112574
   
   Revision   Changes    Path
   1.15.12.1  +1 -1      src/etc/pam.d/sshd
   1.5.14.2   +19 -10    src/lib/libpam/modules/pam_nologin/pam_nologin.8
   1.10.14.2  +19 -3     src/lib/libpam/modules/pam_nologin/pam_nologin.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
