How to use SSH with Failed Login attempts and locking accounts

Bob Proulx bob at proulx.com
Thu Jul 27 02:02:37 EST 2006


Hughes Andy wrote:
> I am using openssh  (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on MP-RAS
> Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for
> any reason only 3 (three) times and then lock the account.

That is a very bad idea for many reasons.  If you search around you
will find references to denial of service attacks due to
configurations such as what you propose.  The basic problem is that an
attacker will disable the account for a valid user.

Why do you want to do this?  It is computationally infeasible to brute
force through a password cracking attempt from the remote interface.

Bob



More information about the openssh-unix-dev mailing list