Partial logins logged & audited as failures?

Vincent Brillault vincent.brillault at
Mon May 4 18:56:01 AEST 2020


Trying to understand why some spurious `There was 1 failed login attempt since
the last successful logins`, that seems to appear on every single login, I
think there is a bug in auth.c's auth_log with the handling of partial logins:

If I read this code correctly, when auth_log is called with authenticated=0
and partial=1 without authctxt->postponed being set (which is normal on
partial authentications) then:
- if method is password, keyboard-interactive or challenge-response (not sure
why the others are not considered?), record_failed_login is called
- audit_event is called with an event from audit_classify_auth which always
seems to return a failure events (or unknown).

So it seems that partial authentications are considered as failures :/

The simplest fix for me seems to be to return before L355 if partial or
authctxt->postponed are set (maybe after checking that there isn't a logic
flow and authenticated was set?).

Am I missing something?
Thanks in advance,
Vincent Brillault

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list