[Bug 1237] Behaviour of openssh with pam_tally is very buggy
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 25 22:39:40 EST 2006
http://bugzilla.mindrot.org/show_bug.cgi?id=1237
Summary: Behaviour of openssh with pam_tally is very buggy
Product: Portable OpenSSH
Version: 4.3p2
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: bitbucket at mindrot.org
ReportedBy: dave at cirt.net
This flavour of openssh doesn't support pam_tally very well, leading to
the risk that users may find themselves locked out of other application
- even with valid credentials, or may be able to access the system when
the account should be locked out.
Base system: Fedora Core 5, added pam_tally lines to
/etc/pam.d/system-auth as follows:
auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5
account required /lib/security/$ISA/pam_tally.so
This leads to the following buggy behaviour: (using password
authentication)
1) The tally only increases once with each ssh session, not with each
bad password (as the default is 3 tries before failure, this means I
can get in 3 bad passwords for one tally).
2) The tally doesn't update properly, using /sbin/pam_tally unless I
fail authentication using another mechanism (e.g. sudo) - try this
order (deliberately using bad passwords):
ssh 127.0.0.1
/sbin/pam_tally (no entries)
sudo ls
/sbin/pam_tally (entry for sudo failure plus one for ssh)
3) SSH doesn't actually lock you out when you've gone over your tally
limit - even though other services do.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list