Howto by pass ssh /etc/nologin

Discussion:

Fajar Priyanto

2007-06-04 16:09:19 UTC

Hi all,
I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass
by ssh.
I have modified /etc/pam.d/sshd:
#%PAM-1.0
auth include common-auth
#auth required pam_nologin.so
account include common-account
password include common-password
session include common-session

When I try to ssh into the PC, I get logged in, but immediately got kicked
out. In /var/log/messages I see this:
sshd : User fajar is not allowed because /etc/nologin exists

I have 'grep -r nologin /etc
And have commented some of the entries in apparmor too, but still cannot
login. I once succeeded in bypassing /etc/nologin, but I forget how.

Thank you very much,

--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
11:09pm up 17:09, 2.6.18.2-34-default GNU/Linux
Let's use OpenOffice. http://www.openoffice.org

Bjoern Voigt

2007-06-04 21:25:15 UTC

Permalink

Post by Fajar Priyanto
I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass
by ssh.
#%PAM-1.0
auth include common-auth
#auth required pam_nologin.so

[...]

Post by Fajar Priyanto
When I try to ssh into the PC, I get logged in, but immediately got kicked
sshd : User fajar is not allowed because /etc/nologin exists

I think it is not possible to configure sshd so that it ignores
/etc/nologin. The check for /etc/nologin seems to be hard-codes in
/usr/sbin/sshd:

$ strings /usr/sbin/sshd | grep nologin
/etc/nologin

The login behaviour of sshd is described in its manual page (man sshd,
section "LOGIN PROCESS"). The pam_nologin line in /etc/pam.d/sshd seems
to be an additional check.

Björn

Anders Johansson

2007-06-04 22:04:48 UTC

Permalink

Post by Bjoern Voigt

Post by Fajar Priyanto
I'm trying to show a demo on how to modify PAM so that /etc/nologin is
bypass by ssh.
#%PAM-1.0
auth include common-auth
#auth required pam_nologin.so

[...]

Post by Fajar Priyanto
When I try to ssh into the PC, I get logged in, but immediately got
sshd : User fajar is not allowed because /etc/nologin exists

I think it is not possible to configure sshd so that it ignores
/etc/nologin. The check for /etc/nologin seems to be hard-codes in
$ strings /usr/sbin/sshd | grep nologin
/etc/nologin

Yes it is, but at least in 10.1 and 10.2, it is disabled if UsePAM is set to
yes in /etc/ssh/sshd_config. In ssh versions before 4.3p1 it was always
checked

Commenting out the line in pam.d/sshd works for me on 10.1 and 10.2

btw, "strings" will only tell you if it looks at that file at all. It won't
tell you anything about the logic surrounding it. Only the source code can do
that

Fajar Priyanto

2007-06-04 23:39:34 UTC

Permalink

Post by Anders Johansson
Yes it is, but at least in 10.1 and 10.2, it is disabled if UsePAM is set
to yes in /etc/ssh/sshd_config. In ssh versions before 4.3p1 it was always
checked

Yes, I confirm this. On 10.2 I can ssh into it even there's /etc/nologin after
I commented out /etc/pam.d/sshd:
#%PAM-1.0
#auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

The machine that I'm trying to give the demo is SLES10. Man, I guess they've
hardened the security on the server version. But, I can swear that I and my
friend were able to by pass /etc/nologin on SLES10. I'll ask him ASAP.

--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
6:39am up 0:19, 2.6.18.2-34-default GNU/Linux
Let's use OpenOffice. http://www.openoffice.org

Anders Johansson

2007-06-05 00:12:34 UTC

Permalink

Post by Fajar Priyanto
The machine that I'm trying to give the demo is SLES10.

No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but in
fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have openssh
4.2p1, so it still checks /etc/nologin no matter what you do with pam

At the moment I can't check what happens in SP1. I can do that tomorrow

Fajar Priyanto

2007-06-05 00:37:18 UTC

Permalink

Post by Anders Johansson

Post by Fajar Priyanto
The machine that I'm trying to give the demo is SLES10.

No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but
in fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have
openssh 4.2p1, so it still checks /etc/nologin no matter what you do with
pam
At the moment I can't check what happens in SP1. I can do that tomorrow

OK. Looking forward to it.
By the way, do you know any nifty example on how to demo the work of PAM?
Right now, the /etc/nologin is all I have.

--
Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial
http://linux2.arinet.org
7:37am up 1:16, 2.6.18.2-34-default GNU/Linux
Let's use OpenOffice. http://www.openoffice.org

Anders Johansson

2007-06-05 15:42:59 UTC

Permalink

Post by Fajar Priyanto

Post by Anders Johansson

Post by Fajar Priyanto
The machine that I'm trying to give the demo is SLES10.

No, I was confused. I was sure I was testing it on a 10.1 and a 10.2, but
in fact it was two 10.2 machines. 10.1 (and SLES 10 and SLED 10) have
openssh 4.2p1, so it still checks /etc/nologin no matter what you do with
pam
At the moment I can't check what happens in SP1. I can do that tomorrow

OK. Looking forward to it.

SP1 still has 4.2p1, no change there

Post by Fajar Priyanto
By the way, do you know any nifty example on how to demo the work of PAM?
Right now, the /etc/nologin is all I have.

Well, perhaps the password strength checkers? pam_motd? pam_chroot?

There are quite a few modules in /lib/security. If I were you, I'd look
through the docs in /usr/share/doc/packages/pam and play with it a little

Aaron Kulkis

2007-09-05 04:52:18 UTC

Permalink

Post by Fajar Priyanto
Hi all,
I'm trying to show a demo on how to modify PAM so that /etc/nologin is bypass
by ssh.
#%PAM-1.0
auth include common-auth
#auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
When I try to ssh into the PC, I get logged in, but immediately got kicked
sshd : User fajar is not allowed because /etc/nologin exists

Duh..that's the freaking POINT of /etc/nologin!

Here's an idea -- THINK before you post!

Post by Fajar Priyanto
I have 'grep -r nologin /etc
And have commented some of the entries in apparmor too, but still cannot
login. I once succeeded in bypassing /etc/nologin, but I forget how.

You REMOVE it.

nologin...nologin...no login.... gee, what could that POSSIBLY mean???

DUH.

Post by Fajar Priyanto
Thank you very much,

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org