pam_abl and sshd MaxAuthTries strangeness (was Re: pam_tally with sshd: ssh password-based failures not tally'd)
Darren Tucker
dtucker at zip.com.au
Tue Jan 11 00:34:28 UTC 2005
George Hansper wrote:
> I think there IS value in seperating the MaxAuthTries.
>
> I'd like to set the MaxAuthTries for passwords as low as
> possible (ie 1 only), since that this the only way to get
> sensible results from failed-login counters such as
> pam_tally and pam_abl.
That's a reason for finding out why multiple attempts are only counted
once and fixing that, not for adding another knob to sshd.
> As you mentioned, my 'agent' may have a lot of publickey's to try.
> In this case, I can run out of MaxAuthTries before I get a chance to enter
> a password. Sure, I can add the option:
> -o PreferredAuthentications=password
> but that requires a fair bit of knowledge of ssh, which ordinary
> users don't have.
It doesn't require any special knowledge beyond reading the man page.
You can also put it your ~/.ssh/config file (or even have the admin put
it in the global config) so you don't have to remember it.
> I presume publickeys are less susceptible to 'brute-force' attacks than
> passwords, so I would be happy to set MaxAuthTries higher for publickey
> logins (say, 5) than password logins.
>
> (I'd like to be able to tally the publickey logins, too,
> but that does not appear to be feasible at present.)
You could hack sshd to make a bogus call to pam_authenticate() after
other failed non-password auth attempts. That's pretty ugly, though.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the Pam-list
mailing list