pam_tally with sshd: ssh password-based failures not tally'd

[Andy Armstrong]

George Hansper wrote:

> Hello Andy,
> 
> I've downloaded and compiled the pam_abl package.
> 
> Basically, it seems to work quite well. I did notice the following:
> 
> a) It requires the /etc/ssh/sshd_config setting:
>     UsePAM yes
>     ChallengeResponseAuthentication no
>    for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)

Ah right, I'll add that to the doc, thanks.

> b) sshd normally allows 3 tries before kicking the user out of the
>    password dialog. This registers as 1 user failure and 1 host failure
>    for pam_abl.
> 
>    Changing the /etc/ssh/sshd_config setting:
>     MaxAuthTries 1
>    limits the user to 1 try per TCP connection, and brings pam_abl into
>    line with real attempts

Yes, a 'failed attempt' is a failed application session. The module 
doesn't know how many retries the application does in that session 
although it could work it out. Perhaps that would be better. I'll 
investigate.

> c) Once a user or host has been locked, there does not seem to be any
>    way to unlock the account manually, before the 'purge' time has elapsed.
> 
>    The locking appears to apply to a particular host, so I don't think this
>    would arise except during testing. Once a host has exeeded it's 
> failed-login
>    limit, I would be reluctant to unlock it at a user's request.

Yes, that's right. I will add it but normally it won't be necessary.

>    "user locking" appears to be "user-host locking", in that it is not the
>    user's account which gets locked, but a particular user-host 
> combination.

No, it's actually user locking - it only considers the username. It's 
less useful I think than host locking but it was trivial to add it so...

> d) It would be useful if the pam_abl command, in addition to the list of
>    failed attempts, would give a clear indication of which hosts and 
> user-hosts
>    are currently black-listed.

Yup, good idea - I'll add that.

> e) It might be better if the 'pam_abl -v' command also showed the 
> hostname/ip
>    for each failed user-attempt.
> 
>    eg:
>     Failed users:
>         george (3)
>             Mon Jan 10 11:22:49 2005  localhost
>             Mon Jan 10 11:22:35 2005  www.example.net
>             Mon Jan 10 11:22:31 2005  localhost
> 
>    Similar could be applied to "Failed hosts" output, which could
>    show the username for each attempt.
> 
>     Failed hosts:
>         localhost (1)
>             Mon Jan 10 11:17:14 2005  george

It doesn't really have that information in an easily accessible form - 
it only actually records the timestamp in the database. I could add that 
but it'd mean quite a change.

>    Is there a place for "user-only locking"? Perhaps for a distributed 
> attack on
>    a particular user?

That's what it actually does currently.

> f) The pam_abl command REQUIRES the default-config to be specified, ie:
>     pam_abl /etc/security/pam_abl.conf
>    works, while
>     pam_abl
>    fails. This gets annoying pretty quickly.

OK, I'll put a default in there.

> g) The "host" field printed by pam_abl seems to be recorded as a
>    an IP address, even though hostnames are printed. It would be nice
>    to have the choice of hostname/IP address for the output.

All it has is what it gets from PAM. That's typically a hostname if 
reverse DNS has worked otherwise a dotted-quad IP address. I could make 
it turn the hostnames back into IP addresses but there's probably not 
much point in trying to do reverse DNS if it's failed for PAM.

> In it's current form pam_abl is already useful. I am loking forward to
> seeing future enhancements, and I hope it will be included in the
> "standard" Linux-pam package in the near future.

Thanks for taking the time to look at it so thoroughly. I'll do some 
more work on it over the next couple of days. It's clear that, apart 
from anything else, the documentation needs to give a better overview of 
what it's actually doing :)

Thanks.

-- 
Andy Armstrong, hexten.net