pam_tally2 reset problems with many simultaneous connections

Daniel Neuberger daniel.neuberger at gmail.com
Fri Jun 7 23:25:51 EST 2013 

All,

(Sorry if this is a repost, I tried without being a subscriber and saw 
nothing after a day, so I'm trying again after subscribing).

I think this is a problem with how sshd uses PAM.  Basic scenario:

- sshd is configured to use PAM with pam_tally2
- Multiple clients try connecting within a small time frame
- Some of the clients fail to authenticate

The problem is that the tally is incremented for every authentication, 
but isn't necessarily reset for successful authentications before 
another client tries to authenticate.  So it goes something like this:

- Client A authenticates successfully, but doesn't yet reset the tally
- Client B tries to authenticate, but gets locked out for 10 seconds
- Client C tries to authenticate, but gets locked out for 10 seconds
- Client D tries to authenticate, but then the account is locked entirely
- Client A finally resets the tally in the account phase
- Client B tries again and authenticates successfully

So, if a server is under load with many sftp connections, you'll see 
lots of logs even though everything eventually succeeds.

I'm on RHEL 5.5 with openssh-server-4.3p2-41.el5 and pam-0.99.6.2-6.el5_4.1.

I'm using pam_tally2 in the auth and account phases:

#%PAM-1.0
...
auth       requisite pam_tally2.so deny=3 lock_time=10 unlock_time=900
...
account    required pam_tally2.so
...

I'm guessing the problem is that sshd doesn't call pam_setcred correctly 
as stated in the pam_tally2 man page:

"Account phase resets attempts counter if the user is not magic root. 
This phase can be used optionally for services which don't call 
pam_setcred(3) correctly or if the reset should be done regardless of 
the failure of the account phase of other modules."

We had a similar problem with vsftpd once and solved it by not using 
pam_tally2, but I don't really want to do that for sshd.

Has anyone else run into this problem before or have any suggestions for 
solving it?

I searched google, the mailing list, and the bug list and couldn't find 
anything.

Thanks.

- Daniel

More information about the openssh-unix-dev mailing list