AIX 5.1 /etc/security/failedlogin entry with OpenSSH 4.1p1

Darren Tucker dtucker at
Wed Jul 20 23:13:04 EST 2005

Darren Tucker wrote:
> Chris Taylor wrote:
>>None of the other "access methods", for instance telnet add a
>>failedlogin entry unless the user fails a password challenge.
>>Is this a bug ?
> Possibly but I'm not sure.

Turns out that it is, but not were I suspected: it occurs when 
UsePrivilegeSeparation=no and ChallengeResponseAuthentication=yes and no 
kbdint drivers are present (ie sshd was not compiled with PAM support).

When the client tries keyboard-interactive it fails (obviously) but it's 
recorded as a failure.  The workaround is to set either 
ChallengeResponseAuthentication=no or UsePrivilegeSeparation=yes in 

This could also occur on any platform using the record_failed_login hook 
(ie Unicos and the btmp logging functionality on Linux and HP-UX).

We need to fix this but I don't see an easy, obvious way at the moment.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list