Bug 732

Summary: Number of logins mandated by PAM doesn't work correctly
Product: Portable OpenSSH Reporter: Pádraig Brady <P>
Component: PAM supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WORKSFORME    
Severity: normal    
Priority: P2    
Version: 3.7.1p1   
Hardware: All   
OS: Linux   

Description Pádraig Brady 2003-10-07 22:25:36 AEST 
I have a setup that restricts the number of
logins of a certain user to 1. I had it working
fine with 3.6.1p2, but once 3.7.1p2 was installed
no luck :-( Note I have set "UsePAM yes" explicitly
like is needed in the new version. Also the previous
version needed "UsePriviledgeSeperation no" for
the number of logins to work correctly.

Any input appreciated,
thanks.
Comment 1 Darren Tucker 2003-12-22 21:40:50 AEDT 
Which PAM modules do you have in your sshd PAM stack?
Comment 2 Pádraig Brady 2003-12-23 02:52:13 AEDT 
I just have a /etc/pam.d/other file:

auth     required       pam_unix.so shadow nullok audit
account  required       pam_unix.so shadow nullok audit
account  required       pam_access.so
password required       pam_unix.so shadow nullok audit
session  required       pam_limits.so
session  required       pam_unix.so shadow nullok audit

This is ages ago, but I vaguely remember openssh 3.7.1p2
explicitly ignoring the UsePriviledgeSeperation? which
caused it to break
Comment 3 Darren Tucker 2003-12-23 03:11:07 AEDT 
I had a quick peek at the source of pam_limits and the "logins" limit is
implemented by counting utmp entries.  Are the logins recorded correctly by the
system (ie do the logins show up in "who" and/or "last")?

BTW, the setting of UsePrivilegeSeparation should not be ignored at any time.
Comment 4 Darren Tucker 2004-01-09 02:33:01 AEDT 
Please try a snapshot: this appears to be fixed in -current: I just tried it on
my RH9 system.  This is what I get on the server side:
debug2: User child is on pid 24111
debug3: mm_request_receive entering
Too many logins for 'dtucker'.
Too many logins for 'dtucker'.
PAM: pam_open_session(): Permission denied
debug1: do_cleanup
debug1: PAM: cleanup

The client side gets:
$ ssh -p 2022 localhost
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

The limit appears to be enforced OK (as a side note: it should probably only
output one session error and shut the connection down cleanly though).
Comment 5 Darren Tucker 2004-01-09 03:55:52 AEDT 
The double-error was a misconfiguration on my end: I had pam_limits listed in
/etc/pam.d/sshd and also in system-auth (which is loaded with pam_stack)
Comment 6 Pádraig Brady 2004-01-22 04:30:44 AEDT 
Thanks for the info

I just have the default
#PasswordAuthentication yes

Note the problem I was having was if I set the login limit to X,
only X-1 people could log in.

I haven't tried the latest version yet.
Comment 7 Darren Tucker 2004-01-22 11:16:20 AEDT 
Are you actually using PAM challenge-response for authentication?  You should
have "PasswordAuthentication no" in your sshd_config.
Comment 8 Damien Miller 2004-02-10 13:46:15 AEDT 
This looks like password auth vs PAM auth. Please reopen the bug if this anaysis
is incorrect.
Comment 9 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED