pam_tally with sshd: ssh password-based failures not tally'd

Adam Monsen haircut at gmail.com
Wed Oct 27 07:42:03 UTC 2004 

Hmm, after tinkering a bit, I think I'm able to get sshd/PAM to
actually lock out users after a certain number of failed login
attempts. Here are the relevant lines from my /etc/pam.d/sshd:

auth       required     pam_tally.so no_magic_root
account    required     pam_tally.so deny=3 no_magic_root per_user

The trick is the account component must include 'no_magic_root' and
'per_user'. Don't ask me why. The documentation is poor since per_user
shouldn't be required but is.

Once it "works", the behavior is still pretty strange:

1. user makes three failed login attempts via ssh
2. faillog(8) can be used to indeed report the user's 3 failed logins

at this point, two things can happen (I'll try explaining with pseudocode):

if ( user enters correct password ) {
   User's ssh client says: "Read from remote host localhost:
   Connection reset by peer
   Connection to localhost closed."
} else ( user enters incorrect password ) {
   User is again prompted for password after a slight pause.
   No indication is given that the account is locked.
}

Ok, fine, so it doesn't let them log in, but because an /incorrect/
password attempt /doesn't/ show any indication that the account is
locked, a cracker could infer they've figured out the password when
the connection unexpectedly drops, then wait until the sysadmin resets
the failed login counts and login successfully!

I know this is a somewhat borderline, difficult-to-exploit case, but
it seems like buggy behavior on the part of pam_tally. I would expect
either branch of the condition to cause PAM/ssh/whatever just spit out
"account disabled" and drop the connection.

Here's my complete, somewhat working /etc/pam.d/sshd:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       required     pam_tally.so no_magic_root
account    required     pam_tally.so deny=3 no_magic_root per_user
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_selinux.so
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

Oh, I should also mention that some strange messages are sent to
syslog after 3 failed attempts and one attempt with the correct
password:

==> /var/log/messages <==
Oct 27 00:15:01 mikey pam_tally[12812]: user embo (505) tally 4, deny 3

==> /var/log/secure <==
Oct 27 00:15:01 mikey sshd[12812]: pam_succeed_if: requirement "uid <
100" not met by user "embo"
Oct 27 00:15:01 mikey sshd[12812]: PAM rejected by account
configuration[7]: Authentication failure
Oct 27 00:15:01 mikey sshd[12812]: Failed password for embo from
127.0.0.1 port 34751 ssh2
Oct 27 00:15:01 mikey sshd[12812]: fatal: monitor_read: unsupported request: 24

Not sure what that stuff means.

Anyone know a simple way to allow, say, a 1 hour timeout before the
user is able to log in again? I'm sure some kinda cron job that uses
faillog(8) is possible, but I thought I'd see if anyone knew a
/really/ easy way first.

Also, anyone know of a PAM module that can increase the time a user
waits to re-enter their password after each unsuccessful login
attempt? If not, then maybe just a simple way to adjust the time a
user waits to re-enter their password after each unsuccessful login
attempt?

On Sat, 16 Oct 2004 10:56:45 -0700, Adam Monsen <haircut at gmail.com> wrote:
> I can't get password-based failures to be recorded using pam_tally.
> Anyone have any PAM/sshd insight? Here's my /etc/pam.d/sshd:
> 
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_tally.so
> auth       required     pam_nologin.so
> account    required     pam_tally.so deny=3
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
> 
> /var/log/faillog is never written to when a failed password-based
> login attempt occurs.
> 
> # ls -l /var/log/faillog
> -rw-r-----  1 root root 12312 Oct 16 10:31 /var/log/faillog
> 
> I tried restarting sshd, but no luck. Nothing helpful about why these
> attempts are not recorded. I'm running Fedora Core 1 with
> openssh-server-3.6.1p2-19.
> 
> Do I need PAMAuthenticationViaKbdInt or UseLogin or something else set
> in /etc/ssh/sshd_config? I don't want to mess with these without
> understanding their purpose.
> 
> I did get pam_tally to work with 'su' by modifying /etc/pam.d/su in a
> similar way. Anyone know why /etc/pam.d/su uses the following format
> for specifying the location of a PAM module?
> auth       required     /lib/security/$ISA/pam_tally.so
> 
> From what I can tell, /lib/security/ is the default location searched
> for modules, so this seems unnecessary.
> 
> --
> Adam Monsen <adamm at wazamatta.com>
> http://adammonsen.com/
> 


-- 
Adam Monsen <adamm at wazamatta.com>
http://adammonsen.com/

More information about the Pam-list mailing list