[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_tally with sshd: ssh password-based failures not tally'd



Hi,

I've been looking at pam_tally as a means of discouraging "brute force"
ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:

http://www.redhat.com/archives/pam-list/2004-October/msg00047.html

that once the maximum password failures has been exceeded,
SSH/PAM still give a clear indication of when you've cracked the right password.

If you give a bad password, you get a 2-second delay and a new prompt:

   dummy localhost's password:
   Permission denied, please try again.
   dummy localhost's password:

If you get it right, you get the message:

   dummy localhost's password:
   Read from remote host localhost: Connection reset by peer
   Connection to localhost closed.

Giving this kind of indicator defeats most of the usefulness of pam_tally.
eg you can't afford to reset the password-counter without checking it first,
and changing the password if the counter is in the 100's or more.

I have tried raising the importance of pam_tally by using:

auth requisite pam_tally.so no_magic_root

BEFORE all other entries in /etc/pam.d/sshd, but this does not help.

Is there some configuration change I can make to pam/ssh which will
fail a "locked" account in a consistant manner, regardless of whether
or not the password is right?

Or is this already the subject of a bug-report/enhancement-request?

Regards,
	George Hansper


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]