pam_tally with sshd: ssh password-based failures not tally'd
George Hansper
george-lists at anstat.com.au
Mon Jan 10 02:07:49 UTC 2005
George Hansper wrote:
> Changing the /etc/ssh/sshd_config setting:
> MaxAuthTries 1
> limits the user to 1 try per TCP connection, and brings pam_abl into
> line with real attempts
>
> This works for Fedora Core 3 (openssh-server 3.9p1-7)
>
> For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more
> than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start!
> I'm reluctant to set 'MaxAuthTries 0', even though this works. I though
> I had Mandrake allowing "N-1" tries, too, though I can't reproduce it for now.
>
Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same
strange behaviour as Mandrake:
MaxAuthTries 1
> ssh george at 127.0.0.1
Received disconnect from 127.0.0.1: 2: Too many authentication failures for george
ie before I can enter a password!
If I set:
MaxAuthTries 2
> ssh georgeh at 127.0.0.1
george at 127.0.0.1's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for george
ie one attempt.
I have restarted the sshd server at each config change, and I haven't been drinking, either!
Obviously, this ambiguity of MaxAuthTries is a "characteristic" of openssh-server 3.9p1-7
Regards,
George Hansper
More information about the Pam-list
mailing list