AIX 5.1 /etc/security/failedlogin entry with OpenSSH 4.1p1
Darren Tucker
dtucker at zip.com.au
Wed Jul 20 23:13:04 EST 2005
Darren Tucker wrote:
> Chris Taylor wrote:
>>None of the other "access methods", for instance telnet add a
>>failedlogin entry unless the user fails a password challenge.
>>
>>Is this a bug ?
>
> Possibly but I'm not sure.
Turns out that it is, but not were I suspected: it occurs when
UsePrivilegeSeparation=no and ChallengeResponseAuthentication=yes and no
kbdint drivers are present (ie sshd was not compiled with PAM support).
When the client tries keyboard-interactive it fails (obviously) but it's
recorded as a failure. The workaround is to set either
ChallengeResponseAuthentication=no or UsePrivilegeSeparation=yes in
sshd_config.
This could also occur on any platform using the record_failed_login hook
(ie Unicos and the btmp logging functionality on Linux and HP-UX).
We need to fix this but I don't see an easy, obvious way at the moment.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list