my sshd_config uses "MaxAuthTries 3" but it allows me to attempt my login 4 times !!?? when i fail the 4th time sshd drops my IP connection.

man says

MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number
of failures reaches half this value, additional failures are logged. The default is 6.

bug, or bad man page, or am i not understanding the meaning as stated in the man page?

You may want to set login attemps with pam. That should resolve issue.

/etc/system-auth

Just add retry=3 to:
password requisite pam_cracklib.so

If that line doesn't exist, you may want to update pam or download pam_passwdqc.

Almost forgot one more big heads up!! There is a bug with some distros. If you have a TIMEOUT, TMOUT set or a screenlock is used and you are login as regular user on console it will lock you out.

You'll have to fix it so that a desired group of people who can login to console as a regular user have read+write to /var/log/faillog.

We fix it by setting an access control list for admin users on /var/log/faillog file.


If anyone else logs in just kill their tty.

i use "pam_tally2.so onerr=fail deny=4 unlock_time=900 audit" in auth to deny logins. we dont deny logins in password.

"retry" in password is for pam_passwdqc.so or pam_cracklib.so "(retry=3) The number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time." i use passwdqc with strict password requirements.

i use a combo of pam, sshd, and other timers to fin the connection and/or "lock" the account for failed login attempts (first deny connection for period of time, then after the user can connect back and fails again pam will lock account for a period of time, etc).

i set "3" for ssh but it allowed me to auth 4 times, that seems like a bug or bad man page. perhaps the functionailiy is "the number of allowed retries" which would mean the 1st auth does not count because 1st auth is not a retry, etc.

my systems are init3 with no x installed. i do have TMOUT=300 as a global. i am still testing my pam settings for console and ssh, etc.

Pam supersedes settings in sshd_config. The deny=4 is what is causing it to go to 4th attempt before knocking you out. It is good to still set both though. You're right about password, it wouldn't have any impact I always get retry/deny mixed up.

Sorry.

Here is a system_auth for an example:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so


account required pam_unix.so
account required pam_tally.so per_user deny=3 no_magic_root reset
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

nope. if i set my pam deny=10 and sshd_config to 3 sshd kills my IP connection when i fail auth 4 times. pam wont kill the connection, it only tallies the auth's and then locks the account when auth count reaches deny.