Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my sshd_config uses "MaxAuthTries 3" but it allows me to attempt my login 4 times !!?? when i fail the 4th time sshd drops my IP connection.
man says
MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number
of failures reaches half this value, additional failures are logged. The default is 6.
bug, or bad man page, or am i not understanding the meaning as stated in the man page?
Almost forgot one more big heads up!! There is a bug with some distros. If you have a TIMEOUT, TMOUT set or a screenlock is used and you are login as regular user on console it will lock you out.
You'll have to fix it so that a desired group of people who can login to console as a regular user have read+write to /var/log/faillog.
We fix it by setting an access control list for admin users on /var/log/faillog file.
i use "pam_tally2.so onerr=fail deny=4 unlock_time=900 audit" in auth to deny logins. we dont deny logins in password.
"retry" in password is for pam_passwdqc.so or pam_cracklib.so "(retry=3) The number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time." i use passwdqc with strict password requirements.
i use a combo of pam, sshd, and other timers to fin the connection and/or "lock" the account for failed login attempts (first deny connection for period of time, then after the user can connect back and fails again pam will lock account for a period of time, etc).
i set "3" for ssh but it allowed me to auth 4 times, that seems like a bug or bad man page. perhaps the functionailiy is "the number of allowed retries" which would mean the 1st auth does not count because 1st auth is not a retry, etc.
my systems are init3 with no x installed. i do have TMOUT=300 as a global. i am still testing my pam settings for console and ssh, etc.
Last edited by Linux_Kidd; 10-07-2011 at 11:47 AM.
Pam supersedes settings in sshd_config. The deny=4 is what is causing it to go to 4th attempt before knocking you out. It is good to still set both though. You're right about password, it wouldn't have any impact I always get retry/deny mixed up.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Pam supersedes settings in sshd_config. The deny=4 is what is causing it to go to 4th attempt before knocking you out. It is good to still set both though. You're right about password, it wouldn't have any impact I always get retry/deny mixed up.
Sorry.
nope. if i set my pam deny=10 and sshd_config to 3 sshd kills my IP connection when i fail auth 4 times. pam wont kill the connection, it only tallies the auth's and then locks the account when auth count reaches deny.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.