How to use SSH with Failed Login attempts and locking accounts

[Damien Miller]

On Tue, 11 Jul 2006, Hughes Andy wrote:

> I have searched the FAQ's and have not seen an answer to this question.
> I have also read the manuals for the SSH and have not found an answer to
> this issue.
> 
> My question is this:
> 
> I am using openssh (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on
> MP-RAS Version 3.3.1.8 and 3.2 and I desire to allow a user to fail
> login for any reason only 3 (three) times and then lock the account. I
> can use the option of FAILLIMIT=3 in the /etc/default/login file for
> telnet sessions, and this will lock the account after three failed
> login attempts by the user. But this does not work for SSH. I have
> also placed the same option in the file of /etc/default/login.openssh
> with no such luck.

I don't think any of the developers has access to MP-RAS, much less
implemented OpenSSH support for account lockin on it.

If you are interested in implementing better support for MP-RAS, then
see if you can dig out some documentation of how the FAILLIMIT is
implemented, and any system APIs for working with it.

As a last resort you might be able to set UseLogin in sshd_config, which
will cause sshd to call /usr/bin/login directly and will hopefully
inherit whatever authorisation controls that it supports.

-d