Feature request: FAIL_DELAY-support for sshd
Ed Maste
emaste at phaedrus.sandvine.ca
Wed Feb 2 07:19:59 EST 2005
On Tue, Feb 01, 2005 at 08:33:23PM +0100, Bjoern Voigt wrote:
> The problem is, that OpenSSH checks the username without PAM, so that
> pam_fail_delay() has no effect, if the username is wrong.
It seems that sshd's checking of getpwnam() before trying to
authenticate with PAM causes many issues. For example, some PAM
modules want to change the username after authenticating; the
user passed in to PAM might not even exist. (Of course the
user returned by PAM must.) This can be used to allow role-
account logins, if the user authenticates using something like
radius.
That said, however, I think OpenSSH is designed to follow the
same code path for authentication with valid/invalid users. I
believe it should call pam_authenticate also for users that
don't exist. Are you sure pam_authenticate isn't being called?
More information about the openssh-unix-dev
mailing list