pam_abl and sshd MaxAuthTries strangeness (was Re: pam_tally with sshd: ssh password-based failures not tally'd)
George Hansper
george-lists at anstat.com.au
Mon Jan 10 23:50:20 UTC 2005
Darren Tucker wrote:
> George Hansper wrote:
> [...]
>> It might be more useful to end-users to have separate controls in
>> /etc/ssh/sshd_config
>> for the different methods - eg MaxAuthTriesPassword, MaxAuthTriesPublickey etc.
>
>
> I don't see much value in that. MaxAuthTries is just a safety valve to
> prevent too many attempts in a single connection. The attacker can
> always reconnect (at a cost of some CPU for key exchange).
>
I think there IS value in seperating the MaxAuthTries.
I'd like to set the MaxAuthTries for passwords as low as
possible (ie 1 only), since that this the only way to get
sensible results from failed-login counters such as
pam_tally and pam_abl.
As you mentioned, my 'agent' may have a lot of publickey's to try.
In this case, I can run out of MaxAuthTries before I get a chance to enter
a password. Sure, I can add the option:
-o PreferredAuthentications=password
but that requires a fair bit of knowledge of ssh, which ordinary
users don't have.
I presume publickeys are less susceptible to 'brute-force' attacks than
passwords, so I would be happy to set MaxAuthTries higher for publickey
logins (say, 5) than password logins.
(I'd like to be able to tally the publickey logins, too,
but that does not appear to be feasible at present.)
Regards,
George Hansper
More information about the Pam-list
mailing list