pam_tally with sshd: ssh password-based failures not tally'd
Philip Yarra
philip.yarra at internode.on.net
Mon Jan 10 02:40:25 UTC 2005
That's pretty common when you have a load of keys added to ssh-agent - ssh
client tries each of these first, before asking you to provide a password.
Either specify password as the PreferredAuthentication for this Host, or drop
all identities from ssh-agent (ssh -add -D) and try that.
Regards, Philip Yarra.
On Mon, 10 Jan 2005 01:07 pm, George Hansper wrote:
> George Hansper wrote:
>
> > Changing the /etc/ssh/sshd_config setting:
> > MaxAuthTries 1
> > limits the user to 1 try per TCP connection, and brings pam_abl into
> > line with real attempts
> >
> > This works for Fedora Core 3 (openssh-server 3.9p1-7)
> >
> > For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never
allows more
> > than 3 tries anyway. 'MaxAuthTries 1' kicks you out before you start!
> > I'm reluctant to set 'MaxAuthTries 0', even though this works. I though
> > I had Mandrake allowing "N-1" tries, too, though I can't reproduce it
for now.
> >
>
> Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same
> strange behaviour as Mandrake:
>
> MaxAuthTries 1
>
> > ssh george at 127.0.0.1
> Received disconnect from 127.0.0.1: 2: Too many authentication failures for
george
>
> ie before I can enter a password!
>
> If I set:
> MaxAuthTries 2
>
> > ssh georgeh at 127.0.0.1
> george at 127.0.0.1's password:
> Received disconnect from 127.0.0.1: 2: Too many authentication failures for
george
>
> ie one attempt.
>
> I have restarted the sshd server at each config change, and I haven't been
drinking, either!
>
> Obviously, this ambiguity of MaxAuthTries is a "characteristic" of
openssh-server 3.9p1-7
>
> Regards,
> George Hansper
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
More information about the Pam-list
mailing list