[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_abl and sshd MaxAuthTries strangeness (was Re: pam_tally with sshd: ssh password-based failures not tally'd)

George Hansper wrote:
I think there IS value in seperating the MaxAuthTries.

I'd like to set the MaxAuthTries for passwords as low as
possible (ie 1 only), since that this the only way to get
sensible results from failed-login counters such as
pam_tally and pam_abl.

That's a reason for finding out why multiple attempts are only counted once and fixing that, not for adding another knob to sshd.

As you mentioned, my 'agent' may have a lot of publickey's to try.
In this case, I can run out of MaxAuthTries before I get a chance to enter
a password. Sure, I can add the option:
      -o PreferredAuthentications=password
but that requires a fair bit of knowledge of ssh, which ordinary
users don't have.

It doesn't require any special knowledge beyond reading the man page.

You can also put it your ~/.ssh/config file (or even have the admin put it in the global config) so you don't have to remember it.

I presume publickeys are less susceptible to 'brute-force' attacks than
passwords, so I would be happy to set MaxAuthTries higher for publickey
logins (say, 5) than password logins.

(I'd like to be able to tally the publickey logins, too,
but that does not appear to be feasible at present.)

You could hack sshd to make a bogus call to pam_authenticate() after other failed non-password auth attempts. That's pretty ugly, though.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]