[Bug 3736] sshd falls back to password prompt after PAM module returns a PAM_MAXTRIES.
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 23 20:44:31 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3736
--- Comment #5 from thibault.delmas at lxp.lu ---
[root at test-vm ~]# sshd -T | grep passwordauth
passwordauthentication no
As I said I got it to work with PAM_ABORT instead and I don't want to
be bothersome.
I redid a test with a dump of the sshd config at the beginning:
[root at pam-test-td ~]# sshd -T | grep passwordauth
passwordauthentication no
[root at pam-test-td ~]# cat /etc/pam.d/sshd | grep -v '#'
auth required pam_module.so
#Replace the pam module with the pam_maxtries.so one
[root at pam-test-td ~]# cp /tmp/pam_maxtries.so
/usr/lib64/security/pam_module.so
cp: overwrite '/usr/lib64/security/pam_module.so'? y
#in a second terminal try to ssh
ssh tdelmas at test-vm
tdelmas at test-vm's password: <enter anything>
Received disconnect from 10.40.0.33 port 22:2: Too many authentication
failures
Disconnected from 10.40.0.33 port 22
#back to the vm replace the shared module by the one returning pam
abort
[root at pam-test-td ~]# cp /tmp/pam_abort.so
/usr/lib64/security/pam_module.so
cp: overwrite '/usr/lib64/security/pam_module.so'? y
#back to the second terminal
ssh tdelmas at test-vm
tdelmas at test-vm: Permission denied (keyboard-interactive).
Here I don't get password prompted.
The two modules pam_abort and pam_maxtries were compiled with the same
min.c file (from my original message) with only the return value being
changed.
I am happy to do further testing if you think there might be something
behind this but else, I get the behavior I wanted with PAM_ABORT and I
think I can live with it so I can change the case status.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list