LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-07-2011, 10:32 AM   #1
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 609

Rep: Reputation: 66
Bug in openssh-server-4.3p2-72 ??


my sshd_config uses "MaxAuthTries 3" but it allows me to attempt my login 4 times !!?? when i fail the 4th time sshd drops my IP connection.

man says

MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number
of failures reaches half this value, additional failures are logged. The default is 6.

bug, or bad man page, or am i not understanding the meaning as stated in the man page?
 
Old 10-07-2011, 11:38 AM   #2
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
You may want to set login attemps with pam. That should resolve issue.

/etc/system-auth

Just add retry=3 to:
password requisite pam_cracklib.so

If that line doesn't exist, you may want to update pam or download pam_passwdqc.
 
Old 10-07-2011, 11:46 AM   #3
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Almost forgot one more big heads up!! There is a bug with some distros. If you have a TIMEOUT, TMOUT set or a screenlock is used and you are login as regular user on console it will lock you out.

You'll have to fix it so that a desired group of people who can login to console as a regular user have read+write to /var/log/faillog.

We fix it by setting an access control list for admin users on /var/log/faillog file.

Code:
setfacl -m g:admins:rw /var/log/faillog

If anyone else logs in just kill their tty.
 
Old 10-07-2011, 12:42 PM   #4
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 609

Original Poster
Rep: Reputation: 66
i use "pam_tally2.so onerr=fail deny=4 unlock_time=900 audit" in auth to deny logins. we dont deny logins in password.

"retry" in password is for pam_passwdqc.so or pam_cracklib.so "(retry=3) The number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time." i use passwdqc with strict password requirements.

i use a combo of pam, sshd, and other timers to fin the connection and/or "lock" the account for failed login attempts (first deny connection for period of time, then after the user can connect back and fails again pam will lock account for a period of time, etc).

i set "3" for ssh but it allowed me to auth 4 times, that seems like a bug or bad man page. perhaps the functionailiy is "the number of allowed retries" which would mean the 1st auth does not count because 1st auth is not a retry, etc.

my systems are init3 with no x installed. i do have TMOUT=300 as a global. i am still testing my pam settings for console and ssh, etc.

Last edited by Linux_Kidd; 10-07-2011 at 12:47 PM.
 
Old 10-07-2011, 02:12 PM   #5
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Pam supersedes settings in sshd_config. The deny=4 is what is causing it to go to 4th attempt before knocking you out. It is good to still set both though. You're right about password, it wouldn't have any impact I always get retry/deny mixed up.

Sorry.
 
Old 10-07-2011, 02:18 PM   #6
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Here is a system_auth for an example:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so


account required pam_unix.so
account required pam_tally.so per_user deny=3 no_magic_root reset
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
 
Old 10-07-2011, 05:06 PM   #7
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 609

Original Poster
Rep: Reputation: 66
Quote:
Originally Posted by kbscores View Post
Pam supersedes settings in sshd_config. The deny=4 is what is causing it to go to 4th attempt before knocking you out. It is good to still set both though. You're right about password, it wouldn't have any impact I always get retry/deny mixed up.

Sorry.
nope. if i set my pam deny=10 and sshd_config to 3 sshd kills my IP connection when i fail auth 4 times. pam wont kill the connection, it only tallies the auth's and then locks the account when auth count reaches deny.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Why a Distro-Provided OpenSSH is Better than a Third-Party OpenSSH LXer Syndicated Linux News 0 02-02-2011 08:50 AM
Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2 OffbeatAdam Linux - Security 14 11-25-2009 12:39 PM
OpenSSH Server Depends DrWorm Linux - Software 0 07-17-2005 07:26 PM
OpenSSH ssh-agent problems. Bug? darklogik_org Slackware 2 02-10-2004 06:25 PM
OpenSSH-3.7 released (fixes Buffer Management bug) unSpawn Linux - Security 8 09-24-2003 12:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration