This came from 35d4ccfb55769. /var/run/nologin comes from the default login.conf. It looks like this statement isn't quite true, and should actually be "Checks either the path specified by the nologin setting in login.conf (by default, /var/run/nologin) or /etc/nologin if the login.conf setting is not present. If that path exists, it prints the contents and quits."

Unmodified upstream:

static void
do_nologin(struct passwd *pw)
{
        FILE *f = NULL;
        char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
        struct stat sb;
 
#ifdef HAVE_LOGIN_CAP
        if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0)
                return;
        nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
#else
        if (pw->pw_uid == 0)
                return;
        nl = def_nl;
#endif
        if (stat(nl, &sb) == -1)
                return;
 
        /* /etc/nologin exists.  Print its contents if we can and exit. */
        logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
        if ((f = fopen(nl, "r")) != NULL) {
                while (fgets(buf, sizeof(buf), f))
                        fputs(buf, stderr);
                fclose(f);
        }
        exit(254);
}

But this is an issue independent of the update to 10.0p2.

jlduran added a subscriber: jlduran.Thu, Jul 31, 2:48 AM

jlduran added inline comments.Thu, Jul 31, 4:04 AM

sshd_config.5
884	If we are using `/etc/ssh/shosts.equiv`, we should change the documentation in sshd.8 and ssh.1. I'll submit a separate fix, as it is not related to this update. Although, I was not able to make it work. That change stems from 35d4ccfb5576 ("Document FreeBSD defaults and paths.")