pam_tally with sshd: ssh password-based failures not tally'd
Darren Tucker
dtucker at zip.com.au
Mon Jan 10 02:23:17 UTC 2005
George Hansper wrote:
> George Hansper wrote:
[...]
>> For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never
>> allows more than 3 tries anyway.
That a feature of the client, not server. From the ssh_config(5) man page:
NumberOfPasswordPrompts
Specifies the number of password prompts before giving up. The
argument to this keyword must be an integer. Default is 3.
[...]
> Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same
> strange behaviour as Mandrake:
>
> MaxAuthTries 1
>
> > ssh george at 127.0.0.1
> Received disconnect from 127.0.0.1: 2: Too many authentication failures
> for george
>
> ie before I can enter a password!
... but, most likely, after the client has attempted some other
authentication (eg hostbased or a key supplied by an agent).
Try "ssh -vvv yourserver" to see what it's doing and/or "ssh -o
PreferredAuthentications=password yourserver" to force it to attempt
only password auth.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Pam-list
mailing list