[Bug 3736] sshd falls back to password prompt after PAM module returns a PAM_MAXTRIES.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 23 20:44:31 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3736

--- Comment #5 from thibault.delmas at lxp.lu ---
[root at test-vm ~]# sshd -T | grep passwordauth
passwordauthentication no

As I said I got it to work with PAM_ABORT instead and I don't want to
be bothersome.

I redid a test with a dump of the sshd config at the beginning:

[root at pam-test-td ~]# sshd -T | grep passwordauth
passwordauthentication no
[root at pam-test-td ~]# cat /etc/pam.d/sshd | grep -v '#'
auth required pam_module.so

#Replace the pam module with the pam_maxtries.so one
[root at pam-test-td ~]# cp /tmp/pam_maxtries.so
/usr/lib64/security/pam_module.so 
cp: overwrite '/usr/lib64/security/pam_module.so'? y

#in a second terminal try to ssh
ssh tdelmas at test-vm
tdelmas at test-vm's password: <enter anything>
Received disconnect from 10.40.0.33 port 22:2: Too many authentication
failures
Disconnected from 10.40.0.33 port 22

#back to the vm replace the shared module by the one returning pam
abort

[root at pam-test-td ~]# cp /tmp/pam_abort.so
/usr/lib64/security/pam_module.so 
cp: overwrite '/usr/lib64/security/pam_module.so'? y

#back to the second terminal

ssh tdelmas at test-vm
tdelmas at test-vm: Permission denied (keyboard-interactive).

Here I don't get password prompted.

The two modules pam_abort and pam_maxtries were compiled with the same
min.c file (from my original message) with only the return value being
changed.

I am happy to do further testing if you think there might be something
behind this but else, I get the behavior I wanted with PAM_ABORT and I
think I can live with it so I can change the case status.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list