pam_tally question

listz at hate.cx listz at hate.cx
Thu May 20 00:34:08 EST 2004 

actually i figured tht out yesterday by looking through all of the bugs as
suggested in #4 of the "Reporting Bugs" section of openssh.com. The entry that
actually helped me was ticket #843. sshd_config confused me because all it said
about ChallengeResponseAuthentication was to set it to "no" to disable s/key,
and i thought "well, i don't use s/key!" so it was set to "no". once i read that
i realized what i had done wrong and all systems now obey pam_tally...mostly.

something else odd that popped up during my testing: i have pam_tally set to
deny on 3 unsuccessful attempts. this is certainly the case for password
authentication, however i have to get to 4 to stop logins with ssh keys. i'll
unsuccessfully attempt to authenticate 3 times with a password, pam_tally
indicates 3 unsuccessful login attempts, but i'm still able to successfully
login with an ssh key. it only prevents ssh key logins as well once i get to 4
unsuccessful login attempts. is this known behavior?



on Wed May 19 11:03, Darren Tucker disclosed: 
> listz at hate.cx wrote:
> >and i do have "UsePAM yes" set in sshd_config. i've tried and failed to 
> >get it
> >to work with 3.7.1p2 and 3.8.1p1. i've tried compiling them both 
> >--with-pam and
> >--without-pam and tried both "UsePAM yes" and "UsePAM no" all to no avail.
> >/var/log/faillog exists and it is owned by root and set to 600. these are 
> >redhat
> >7.3 and 9 systems. it displays the same behavior on both. any thoughts?
> 
> Do you have "ChallengeResponseAuthentication yes" and 
> "PasswordAuthentication no" in sshd_config?  If not it's possible that 
> you're not actually using PAM to authenticate (which might explain your 
> problem).
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde
statik at hate.cx | "It's like a koala crapped a rainbow in my brain!"
PGP fingerprint: D656 01EB 79FC 9285 F110  2AB1 D8BC B3BA BEA2 E0C5

More information about the openssh-unix-dev mailing list