[Bug 1237] Behaviour of openssh with pam_tally is very buggy

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 25 22:39:40 EST 2006


           Summary: Behaviour of openssh with pam_tally is very buggy
           Product: Portable OpenSSH
           Version: 4.3p2
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: dave at cirt.net

This flavour of openssh doesn't support pam_tally very well, leading to
the risk that users may find themselves locked out of other application
- even with valid credentials, or may be able to access the system when
the account should be locked out.

Base system: Fedora Core 5, added pam_tally lines to
/etc/pam.d/system-auth as follows:
auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5
account required /lib/security/$ISA/pam_tally.so

This leads to the following buggy behaviour: (using password
1) The tally only increases once with each ssh session, not with each
bad password (as the default is 3 tries before failure, this means I
can get in 3 bad passwords for one tally).
2) The tally doesn't update properly, using /sbin/pam_tally unless I
fail authentication using another mechanism (e.g. sudo) - try this
order (deliberately using bad passwords):
/sbin/pam_tally (no entries)
sudo ls
/sbin/pam_tally (entry for sudo failure plus one for ssh)
3) SSH doesn't actually lock you out when you've gone over your tally
limit - even though other services do.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list