Problems with openssh and pam_abl
Darren Tucker
dtucker at zip.com.au
Mon Dec 12 14:17:38 EST 2005
On Sat, Dec 10, 2005 at 11:29:43PM +0100, Christian Meier wrote:
> I want to use sshd together with pam_abl to reduce
> that logfile spamming with ssh attacks.
>
> So the problem is as follows:
>
> Setting maxAuthTries to 0 or any other values smaller than the default
> of 6 changes the behaviour of pam_abl.
>
> First, but this also happens with not using maxAuthTries option, is:
> if the clientside closes connection after for example one failed
> authentication try then the pam module is not being notified, so no
> failed login is recorded in pam_abl database.
>
> Second, altough client does not close connection until it gets the error
> notification "Received disconnect from <IP>: 2: Too many authentication
> failures for ..." the pam_abl module does not get any notification of
> failed login(s). (This second problem only appears when using parameter
> maxauthtries option)
>
> So I hope anybody knows the answer or can say me what to change in
> source code.
>
> I personally think that somewhere there's missing a final cleanup or
> finishing of pam conversation when connection is getting closed at
> client side.
It's probably simpler than that: I suspect that your client is trying
non-interactive authentications (eg multiple pubkeys, hostbased), you
are reaching the MaxAuthTries limit before any of the PAM-based
authentications (password, keyboard-interactive) are reached. (Assuming
pam_abl only registers a failure during pam_authenticate, which I haven't
checked but is a reasonable guess.)
The other thing to be aware of is that the current crop of worms (at
at least, the crop that was current last time I looked) perform only a
single password authentication attempt and then disconnect. This means
that testing with ssh is not representative of the behaviour you'll see
in the wild ("ssh -o PreferredAuthentications=password yourserver"
will be closer but still not identical.)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list