George Hansper wrote:
Hello Andy,
I've downloaded and compiled the pam_abl package.
Basically, it seems to work quite well. I did notice the following:
a) It requires the /etc/ssh/sshd_config setting: UsePAM yes ChallengeResponseAuthentication no for openssh-server 3.9p1-7 (Fedora Core 3/Mandrake 10.1)
Ah right, I'll add that to the doc, thanks.
b) sshd normally allows 3 tries before kicking the user out of the password dialog. This registers as 1 user failure and 1 host failure for pam_abl.
Changing the /etc/ssh/sshd_config setting: MaxAuthTries 1 limits the user to 1 try per TCP connection, and brings pam_abl into line with real attempts
Yes, a 'failed attempt' is a failed application session. The module doesn't know how many retries the application does in that session although it could work it out. Perhaps that would be better. I'll investigate.
c) Once a user or host has been locked, there does not seem to be any way to unlock the account manually, before the 'purge' time has elapsed.
The locking appears to apply to a particular host, so I don't think this
would arise except during testing. Once a host has exeeded it's failed-login
limit, I would be reluctant to unlock it at a user's request.
Yes, that's right. I will add it but normally it won't be necessary.
"user locking" appears to be "user-host locking", in that it is not the
user's account which gets locked, but a particular user-host combination.
No, it's actually user locking - it only considers the username. It's less useful I think than host locking but it was trivial to add it so...
d) It would be useful if the pam_abl command, in addition to the list of
failed attempts, would give a clear indication of which hosts and user-hosts
are currently black-listed.
Yup, good idea - I'll add that.
e) It might be better if the 'pam_abl -v' command also showed the hostname/ip
for each failed user-attempt.
eg: Failed users: george (3) Mon Jan 10 11:22:49 2005 localhost Mon Jan 10 11:22:35 2005 www.example.net Mon Jan 10 11:22:31 2005 localhost
Similar could be applied to "Failed hosts" output, which could show the username for each attempt.
Failed hosts: localhost (1) Mon Jan 10 11:17:14 2005 george
It doesn't really have that information in an easily accessible form - it only actually records the timestamp in the database. I could add that but it'd mean quite a change.
Is there a place for "user-only locking"? Perhaps for a distributed attack on
a particular user?
That's what it actually does currently.
f) The pam_abl command REQUIRES the default-config to be specified, ie:
pam_abl /etc/security/pam_abl.conf
works, while
pam_abl
fails. This gets annoying pretty quickly.
OK, I'll put a default in there.
g) The "host" field printed by pam_abl seems to be recorded as a an IP address, even though hostnames are printed. It would be nice to have the choice of hostname/IP address for the output.
All it has is what it gets from PAM. That's typically a hostname if reverse DNS has worked otherwise a dotted-quad IP address. I could make it turn the hostnames back into IP addresses but there's probably not much point in trying to do reverse DNS if it's failed for PAM.
In it's current form pam_abl is already useful. I am loking forward to seeing future enhancements, and I hope it will be included in the "standard" Linux-pam package in the near future.
Thanks for taking the time to look at it so thoroughly. I'll do some more work on it over the next couple of days. It's clear that, apart from anything else, the documentation needs to give a better overview of what it's actually doing :)
Thanks.
-- Andy Armstrong, hexten.net
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
