[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_abl and sshd MaxAuthTries strangeness (was Re: pam_tally with sshd: ssh password-based failures not tally'd)



I've tried the options PreferredAuthentications=password and NumberOfPasswordPrompts=10
and I seem to get consistant behaviour (for now):

With:
	ssh -o PreferredAuthentications=password NumberOfPasswordPrompts=10   127.0.0.1
and
	MaxAuthTries 1

I get TWO tries at entering the password, and pam_abl registers ONE failed login.

In general, it seems for 'MaxAuthTries N', I get N+1 tries at the password,
and pam_abl increments by ONE failed login.

With:
	ssh -o PreferredAuthentications=publickey,password   127.0.0.1

I get N tries at entering the password, and pam_abl registers ONE failed login

On Fedora Core 3, I also had "GSSAPIAuthentication yes' in /etc/ssh/sshd_config,
which gave the result (using 'ssh -vvv ...'):

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

With 'MaxAuthTries 1', the 2 tries permitted were being used up before I could enter
a password.

If no password was entered this did NOT register as a failed password for pam_abl.
This gives rises to the possibilty of a publickey ssh attack, which is not picked up by pam_abl.
Is there some way to make failed publickey logins register with pam_abl?

Although I understand what was happening now, I did find it confusing at the time.

Firstly, that 'MaxAuthTries N' allows up to N+1 authentication attempts (across all methods),
and secondly, that try-once-and-give-up methods like 'publickey' are included
in this count.

It might be more useful to end-users to have separate controls in /etc/ssh/sshd_config
for the different methods - eg MaxAuthTriesPassword, MaxAuthTriesPublickey etc.

So in order to get pam_abl to count "real" login attempts (or as close a possible):

a) MaxAuthTries 0
      and disable all other authentication methods
   PubkeyAuthentication no
   GSSAPIAuthentication no
   KerberosAuthentication no

b) Increment MaxAuthTries by one for each of the alternate authentication mechansims
   which are enabled, and live with the possibility that a user can get
   2 or more password attempts by using:
	ssh -o PreferredAuthentications=password ...

It doesn't negate the usefulness of pam_abl, but it does make the limits
in the config a little "rubbery".

Thanks for the tips on ssh,
	George Hansper

Darren Tucker wrote:
George Hansper wrote:

George Hansper wrote:

[...]


For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more than 3 tries anyway.


That a feature of the client, not server. From the ssh_config(5) man page:

 NumberOfPasswordPrompts
     Specifies the number of password prompts before giving up.  The
     argument to this keyword must be an integer.  Default is 3.

[...]

Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same
strange behaviour as Mandrake:

MaxAuthTries 1

> ssh george 127 0 0 1
Received disconnect from 127.0.0.1: 2: Too many authentication failures for george


ie before I can enter a password!


... but, most likely, after the client has attempted some other authentication (eg hostbased or a key supplied by an agent).

Try "ssh -vvv yourserver" to see what it's doing and/or "ssh -o PreferredAuthentications=password yourserver" to force it to attempt only password auth.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]