[Bug 908] AIX OpenSSH allows too many failing login attempts
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Jul 31 09:22:23 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=908
Summary: AIX OpenSSH allows too many failing login attempts
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: matt.small at wellsfargo.com
AIX allows per-user definitions for the maximum number of allowed login attempts
(defaulting to 3). After that limit has been exceeded, the user is locked out,
and must be unlocked by an administrator.
Through OpenSSH, it is possible to get around this restriction, and make
additional login attempts.
To reproduce (assuming the system locks an account after 3 total failed
attempts, and assuming you have 3 attempts per ssh connection):
- start an ssh connection, fail your login twice, and exit out
- start a new session, fail twice, then enter the correct password, and you will
be accepted into the system (note that there were 4 failed attempts before the
successful login)
I believe the problem lies in how OpenSSH determines login permissions. There
is an initial check made to ensure that the user can log in, but after that no
additional checks are made. And once a successful login is made, the counter is
reset, incorrectly allowing future logins.
To fix this, the loginrestrictions() function (AIX-specific) needs to be checked
before each login attempt (_before_ a login is accepted).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list