[Bug 908] AIX OpenSSH allows too many failing login attempts

Sat Jul 31 09:22:23 EST 2004

http://bugzilla.mindrot.org/show_bug.cgi?id=908

           Summary: AIX OpenSSH allows too many failing login attempts
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: matt.small at wellsfargo.com

AIX allows per-user definitions for the maximum number of allowed login attempts
(defaulting to 3).  After that limit has been exceeded, the user is locked out,
and must be unlocked by an administrator.

Through OpenSSH, it is possible to get around this restriction, and make
additional login attempts.

To reproduce (assuming the system locks an account after 3 total failed
attempts, and assuming you have 3 attempts per ssh connection):
- start an ssh connection, fail your login twice, and exit out
- start a new session, fail twice, then enter the correct password, and you will
be accepted into the system (note that there were 4 failed attempts before the
successful login)

I believe the problem lies in how OpenSSH determines login permissions.  There
is an initial check made to ensure that the user can log in, but after that no
additional checks are made.  And once a successful login is made, the counter is
reset, incorrectly allowing future logins.

To fix this, the loginrestrictions() function (AIX-specific) needs to be checked
before each login attempt (_before_ a login is accepted).

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.