Hi,
I've been looking at pam_tally as a means of discouraging "brute force" ssh attacks. I have noticed, like Adam Monsen in a previous e-mail:
http://www.redhat.com/archives/pam-list/2004-October/msg00047.html
that once the maximum password failures has been exceeded, SSH/PAM still give a clear indication of when you've cracked the right password.
If you give a bad password, you get a 2-second delay and a new prompt:
dummy@localhost's password: Permission denied, please try again. dummy@localhost's password:
If you get it right, you get the message:
dummy@localhost's password: Read from remote host localhost: Connection reset by peer Connection to localhost closed.
Giving this kind of indicator defeats most of the usefulness of pam_tally. eg you can't afford to reset the password-counter without checking it first, and changing the password if the counter is in the 100's or more.
I have tried raising the importance of pam_tally by using:
auth requisite pam_tally.so no_magic_root
BEFORE all other entries in /etc/pam.d/sshd, but this does not help.
Is there some configuration change I can make to pam/ssh which will fail a "locked" account in a consistant manner, regardless of whether or not the password is right?
Or is this already the subject of a bug-report/enhancement-request?
Regards, George Hansper
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
