openssh-unix-dev Digest, Vol 39, Issue 6

Wed Jul 12 13:56:28 EST 2006

On Jul 11, 2006, at 8:21 PM, openssh-unix-dev-request at mindrot.org wrote:

> Date: Tue, 11 Jul 2006 15:50:22 -0500
> From: "Hughes Andy" <Andy.Hughes at HCAHealthcare.com>
> Subject: How to use SSH with Failed Login attempts and locking
> 	accounts
> To: <openssh-unix-dev at mindrot.org>
> Message-ID:
> 	<273CACD967F9BC47B023F758ACBC3A8C075855F4 at NASEV06.hca.corpad.net>
> Content-Type: text/plain;	charset="us-ascii"
>
> I have searched the FAQ's and have not seen an answer to this  
> question.
> I have also read the manuals for the SSH and have not found an  
> answer to
> this issue.

I feel the rage of Theo stirring inside me... must .....  
resist ...... the ...... impulse ..... aahh. Better now.

http://groups.google.com/group/mailing.unix.openssh-dev/about

> My question is this:
>
> I am using openssh  (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on  
> MP-RAS

MP-RAS? Y2K? Won't they support Solaris x86? I'll bet you can buffer  
overflow the crap out of MP-RAS! It makes me want to get back to work  
on my fuzzer!

> Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for
> any reason only 3 (three) times and then lock the account.  I can use
> the option of FAILLIMIT=3 in the /etc/default/login file for telnet
> sessions, and this will lock the account after three failed login
> attempts by the user.  But this does not work for SSH.  I have also
> placed the same option in the file of /etc/default/login.openssh  
> with no
> such luck.

By default, ssh does not call login(3). Find that in the docs under  
UseLogin. Please Google that also.

FYI: Automatic lockout allows anyone to lock out any account by  
guessing or knowing the name. This actually makes another easier way  
for malicious gremlins to abuse your systems. My favorite prank is to  
scratch out a fake warning to someone that they've been fired and  
then lock out their account... no, I would NEVER do that...

> this.  It is an audit requirement here, to start locking an account  
> when
> the user fails the login process, for any reason, after three  
> attempts.

I always thought an audit was a fact-finding pursuit. If I were you,  
I would pursue a CBA for automatic lockouts. If you don't really need  
them to conduct your business then you should keep all accounts  
locked and only enable them during controlled change windows. If you  
do really need these accounts to support your business, then your  
security policy should not lock your accounts. The programmers on  
this list are famously paranoid and prudent about security. You might  
ask yourself why this feature hasn't already been implemented and  
widely used if it were a good idea?

> 	Any help is appreciated.  Thanks in advance for the help.

Also, you probably don't want to use login(3). I strongly encourage  
you to seek an implementation of pam_tally if I cannot discourage  
this automatic lockout craziness.