OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt
Matthew Melvin
matthewm at webcentral.com.au
Wed Jun 27 15:30:02 EST 2001
On Wed, 27 Jun 2001 at 3:00pm (+1000), Damien Miller wrote:
> On Wed, 27 Jun 2001, Matthew Melvin wrote:
>
> > When using PAM to do password authenticaion the attempt/failure counter
> > appears to be getting confused. This is using a rh62 system with the
> > openssh-2.9p2-1 rpms...
>
> [snip]
>
> > So for one incorrect password the attempt/failure count goes from...
> >
> > debug1: attempt 3 failures 3
> >
> > ... to...
> >
> > debug1: attempt 5 failures 4
> >
> > Looking at the source it seems authctxt->attempt++ is being incrimented
> > twice, once in auth2.c:input_userauth_request() and again in
> > auth2-pam.c:input_userauth_info_response_pam().
> >
> > Attached is a patch that fixed these symptoms for me. Attempt/failure are
> > incimented one at a time, the last password prompt is no longer ignored, and
> > the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6
> > attempts. I am not completly certain this behaviour matches the original
> > intent so YMMV...
>
> I don't think the test is necessary at all, as the checking is done in
> userauth_finish anyway. How does this patch go?
>
Hmm.. okay I've just rebuilt with this new patch and tried the same tests.
It seems like removing the test all together does have the desired effect.
M.
--
WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road. Network Operations - Systems Engineer
PO Box 4169, East Brisbane. phone: +61 7 3249 2500
Queensland, Australia. pgp key id: 0x900E515F
More information about the openssh-unix-dev
mailing list