[Bug 2249] New: sshd ignores PAM_MAXRETRIES pam return value
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jun 25 20:44:36 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2249
Bug ID: 2249
Summary: sshd ignores PAM_MAXRETRIES pam return value
Product: Portable OpenSSH
Version: 6.0p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: matthijs at stdin.nl
pam_unix contains a hardcoded max retries value of 3. After 3 failed
attempts, it starts to return PAM_MAXRETRIES instead of the normal
failure status. According to the pam_authenticate(3) manpage:
PAM_MAXTRIES
One or more of the authentication modules has reached its limit of
tries authenticating the user. Do not try again.
However, it seems that sshd ignores this and does try again. Pam keeps
a count of failed attempts and on cleanup, when this count is higher
than the max retries, it emits a message to syslog:
Jun 24 02:23:42 login sshd[4821]: PAM service(sshd) ignoring max
retries; 6 > 3
This can be worked around by setting AuthMaxTries to 3 in sshd_config,
but it seems that sshd should really listen to pam and handle the
PAM_MAXRETRIES result by not allowing further retries.
I've observed this behaviour on 6.0p1, but looking at the source for
6.6p1 it looks like PAM_RETRIES isn't handled there either. I couldn't
find an easy way to browse the most current VCS version, so I didn't
check there.
See also:
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n297
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n803
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n353
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list