[Bug 2249] New: sshd ignores PAM_MAXRETRIES pam return value

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

            Bug ID: 2249
           Summary: sshd ignores PAM_MAXRETRIES pam return value
           Product: Portable OpenSSH
           Version: 6.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: matthijs at stdin.nl

pam_unix contains a hardcoded max retries value of 3. After 3 failed
attempts, it starts to return PAM_MAXRETRIES instead of the normal
failure status. According to the pam_authenticate(3) manpage:

PAM_MAXTRIES
One or more of the authentication modules has reached its limit of
tries authenticating the user. Do not try again.

However, it seems that sshd ignores this and does try again. Pam keeps
a count of failed attempts and on cleanup, when this count is higher
than the max retries, it emits a message to syslog:

Jun 24 02:23:42 login sshd[4821]: PAM service(sshd) ignoring max
retries; 6 > 3        

This can be worked around by setting AuthMaxTries to 3 in sshd_config,
but it seems that sshd should really listen to pam and handle the
PAM_MAXRETRIES result by not allowing further retries.

I've observed this behaviour on 6.0p1, but looking at the source for
6.6p1 it looks like PAM_RETRIES isn't handled there either. I couldn't
find an easy way to browse the most current VCS version, so I didn't
check there.

See also:
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n297
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n803
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n353

-- 
You are receiving this mail because:
You are watching the assignee of the bug.