[Bug 3766] New: openssh PerSourcePenalties and pam_nologin interaction

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Dec 13 20:05:21 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3766

            Bug ID: 3766
           Summary: openssh PerSourcePenalties and pam_nologin interaction
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: ARM64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: travier at redhat.com

Issue:

Repeated connections attempt to a system before it is ready (i.e.
during boot, while `/run/nologin` still exists) will count as failed
connection attempts and will trigger the PerSourcePenalties logic in
openssh.

Expected behavior:

Connections rejected by pam_nologin should not count as a penalty for
the PerSourcePenalties penalty option in openssh.

Links:

The PerSourcePenalties option has been added in OpenSSH 9.8:
- https://www.openssh.com/txt/release-9.8
- https://man.openbsd.org/sshd_config#PerSourcePenalties

How to reproduce:

- Using openssh 9.8p1 from Fedora 41, on a system with pam support
enabled in sshd config
- Boot a system with a service ordered before
systemd-user-sessions.service and that will take a bit of time
- Attempt to connect to the system via SSH regularly during boot
- After a few failed connections attempts, those will be denied for a
few seconds, and then will be allowed again, making it looks like the
system is taking longer than expected to come up

Logs:

Dec 12 09:20:57 localhost.localdomain systemd[1]: Starting sshd.service
- OpenSSH server daemon...
Dec 12 09:20:57 localhost.localdomain (sshd)[1050]: sshd.service:
Referenced but unset environment variable evaluates to an empty string:
OPTIONS
Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on
0.0.0.0 port 22.
Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on
:: port 22.
Dec 12 09:20:57 localhost.localdomain systemd[1]: Started sshd.service
- OpenSSH server daemon.
Dec 12 09:20:57 localhost.localdomain sshd-session[1106]: Connection
closed by 192.168.127.1 port 35348
Dec 12 09:20:57 localhost.localdomain sshd-session[1105]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:58 localhost.localdomain sshd-session[1159]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:58 localhost.localdomain sshd-session[1164]: Connection
closed by 192.168.127.1 port 35351
Dec 12 09:20:58 localhost.localdomain sshd-session[1165]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35353 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35354 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35355 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:00 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35356 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35357 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35358 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35359 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:02 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35360 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:03 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35361 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:04 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35362 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35363 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35364 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35365 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:06 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35366 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:07 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35367 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:08 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35368 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:09 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35369 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:10 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35370 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:11 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35371 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:12 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35372 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35373 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35374 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35375 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:14 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35376 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:15 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35377 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:16 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35378 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:17 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35379 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:18 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35380 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:19 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35381 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]: Accepted
publickey for core from 192.168.127.1 port 35382 ssh2: ED25519
SHA256:E0ty9Qq3PssWY7boh8+9BKC3uIC7HpwCTgOr29E1K1I
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]:
pam_systemd(sshd:session): New sd-bus connection
(system-bus-pam-systemd-1329) opened.
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]:
pam_unix(sshd:session): session opened for user core(uid=501) by
core(uid=0)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list