Problems with openssh and pam_abl

Darren Tucker dtucker at zip.com.au
Mon Dec 12 14:17:38 EST 2005


On Sat, Dec 10, 2005 at 11:29:43PM +0100, Christian Meier wrote:
> I want to use sshd together with pam_abl to reduce
> that logfile spamming with ssh attacks.
> 
> So the problem is as follows:
> 
> Setting maxAuthTries to 0 or any other values smaller than the default 
> of 6 changes the behaviour of pam_abl.
> 
> First, but this also happens with not using maxAuthTries option, is:
> if the clientside closes connection after for example one failed 
> authentication try then the pam module is not being notified, so no 
> failed login is recorded in pam_abl database.
> 
> Second, altough client does not close connection until it gets the error 
> notification "Received disconnect from <IP>: 2: Too many authentication 
> failures for ..." the pam_abl module does not get any notification of 
> failed login(s). (This second problem only appears when using parameter 
> maxauthtries option)
> 
> So I hope anybody knows the answer or can say me what to change in 
> source code.
> 
> I personally think that somewhere there's missing a final cleanup or 
> finishing of pam conversation when connection is getting closed at 
> client side.

It's probably simpler than that: I suspect that your client is trying
non-interactive authentications (eg multiple pubkeys, hostbased), you
are reaching the MaxAuthTries limit before any of the PAM-based
authentications (password, keyboard-interactive) are reached.  (Assuming
pam_abl only registers a failure during pam_authenticate, which I haven't
checked but is a reasonable guess.)

The other thing to be aware of is that the current crop of worms (at
at least, the crop that was current last time I looked) perform only a
single password authentication attempt and then disconnect.  This means
that testing with ssh is not representative of the behaviour you'll see
in the wild ("ssh -o PreferredAuthentications=password yourserver"
will be closer but still not identical.)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list