Partial logins logged & audited as failures?
Vincent Brillault
vincent.brillault at cern.ch
Mon May 4 18:56:01 AEST 2020
Hi,
Trying to understand why some spurious `There was 1 failed login attempt since
the last successful logins`, that seems to appear on every single login, I
think there is a bug in auth.c's auth_log with the handling of partial logins:
https://github.com/openssh/openssh-portable/blob/c697e46c314aa94574af0d393d80f23e0ebc9748/auth.c#L355-L372
If I read this code correctly, when auth_log is called with authenticated=0
and partial=1 without authctxt->postponed being set (which is normal on
partial authentications) then:
- if method is password, keyboard-interactive or challenge-response (not sure
why the others are not considered?), record_failed_login is called
- audit_event is called with an event from audit_classify_auth which always
seems to return a failure events (or unknown).
So it seems that partial authentications are considered as failures :/
The simplest fix for me seems to be to return before L355 if partial or
authctxt->postponed are set (maybe after checking that there isn't a logic
flow and authenticated was set?).
Am I missing something?
Thanks in advance,
Vincent Brillault
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200504/f7243f6a/attachment.asc>
More information about the openssh-unix-dev
mailing list