On Tue, 17 Jul 2018, Rob Marshall wrote: > Hi, > > I built OpenSSH 7.7p1-1 to try to include some security fixes for an old OS > version (SLES 10). We use a special PAM module for root to allow us to > provide auto-expiring passwords. There is, however, one root password that > should always work. root can login just fine on the console, which I assume > means that the PAM module is working correctly because I can use both the > always should work password and an auto-expiring password. And if I provide > a valid key in authorized_keys I can login via ssh without a password > without any problems. > > I can also login as root just fine via ssh prior to installing the RPM I > built for OpenSSH 7.7p1-1. However, once I install it, I can no longer ssh > as root. I saved the file: /etc/pam.d/sshd from prior to the install and > restore it after the RPM is installed since it overwrites it. I have a > /etc/pam.d/common-auth that has: > test10:/etc/pam.d # cat sshd > #%PAM-1.0 > auth include common-auth > auth required pam_nologin.so I think pam_nologin.so should be in the "account" rather than "auth" stack. I.e. account required pam_nologin.so -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
