pam_tally question

Darren Tucker dtucker at zip.com.au
Thu May 20 11:09:15 EST 2004 

listz at hate.cx wrote:
> actually i figured tht out yesterday by looking through all of the bugs as
> suggested in #4 of the "Reporting Bugs" section of openssh.com. The entry that
> actually helped me was ticket #843.

Excellent!  Someone who reads those things!  I had feared that such 
people were in the same category as the Easter Bunny :-)

(OK, that's probably not fair.  I would like to think that lots of 
people find them useful and that we never hear from them because it 
solves their problems.)

> sshd_config confused me because all it said
> about ChallengeResponseAuthentication was to set it to "no" to disable s/key,
> and i thought "well, i don't use s/key!" so it was set to "no". once i read that
> i realized what i had done wrong and all systems now obey pam_tally...mostly.

The UsePAM comments have recently been made (hopefully) clearer in the 
example config and the sshd_config man page:

# Set this to 'yes' to enable PAM authentication (via
# challenge-response) and session processing. Depending on your PAM
# configuration, this may bypass the setting of 'PasswordAuthentication'
# and 'PermitEmptyPasswords'

UsePAM  Enables the Pluggable Authentication Module interface. If set
        to ``yes'' this will enable PAM authentication using
        ChallengeResponseAuthentication and PAM account and session
        module processing for all authentication types.

        Because PAM challenge-response authentication usually serves an
        equivalent role to password authentication, you should disable
        either PasswordAuthentication or ChallengeResponseAuthentication.

        If UsePAM is enabled, you will not be able to run sshd(8) as a
        non-root user.  The default is ``no''.

Hmm, maybe the PAM stuff warrants an FAQ entry too?

> something else odd that popped up during my testing: i have pam_tally set to
> deny on 3 unsuccessful attempts. this is certainly the case for password
> authentication, however i have to get to 4 to stop logins with ssh keys. i'll
> unsuccessfully attempt to authenticate 3 times with a password, pam_tally
> indicates 3 unsuccessful login attempts, but i'm still able to successfully
> login with an ssh key. it only prevents ssh key logins as well once i get to 4
> unsuccessful login attempts. is this known behavior?

I would guess that's an off-by-one error in pam_tally's account module. 
  You will probably find that there's something like this in the auth 
module:
	if (failed)
		if (++fails > 3)
			/* return error */

while in the account module:

	if (fails > 3)
		/* return error */

In such a case, the account module will only return failures after the 
*fourth* failure if the authentication does not happen via its auth module.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list