I've tried the options PreferredAuthentications=password and NumberOfPasswordPrompts=10 and I seem to get consistant behaviour (for now):
With: ssh -o PreferredAuthentications=password NumberOfPasswordPrompts=10 127.0.0.1 and MaxAuthTries 1
I get TWO tries at entering the password, and pam_abl registers ONE failed login.
In general, it seems for 'MaxAuthTries N', I get N+1 tries at the password, and pam_abl increments by ONE failed login.
With: ssh -o PreferredAuthentications=publickey,password 127.0.0.1
I get N tries at entering the password, and pam_abl registers ONE failed login
On Fedora Core 3, I also had "GSSAPIAuthentication yes' in /etc/ssh/sshd_config, which gave the result (using 'ssh -vvv ...'):
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
With 'MaxAuthTries 1', the 2 tries permitted were being used up before I could enter a password.
If no password was entered this did NOT register as a failed password for pam_abl. This gives rises to the possibilty of a publickey ssh attack, which is not picked up by pam_abl. Is there some way to make failed publickey logins register with pam_abl?
Although I understand what was happening now, I did find it confusing at the time.
Firstly, that 'MaxAuthTries N' allows up to N+1 authentication attempts (across all methods), and secondly, that try-once-and-give-up methods like 'publickey' are included in this count.
It might be more useful to end-users to have separate controls in /etc/ssh/sshd_config for the different methods - eg MaxAuthTriesPassword, MaxAuthTriesPublickey etc.
So in order to get pam_abl to count "real" login attempts (or as close a possible):
a) MaxAuthTries 0
and disable all other authentication methods
PubkeyAuthentication no
GSSAPIAuthentication no
KerberosAuthentication nob) Increment MaxAuthTries by one for each of the alternate authentication mechansims which are enabled, and live with the possibility that a user can get 2 or more password attempts by using: ssh -o PreferredAuthentications=password ...
It doesn't negate the usefulness of pam_abl, but it does make the limits in the config a little "rubbery".
Thanks for the tips on ssh, George Hansper
Darren Tucker wrote:
George Hansper wrote:
George Hansper wrote:
[...]
For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never allows more than 3 tries anyway.
That a feature of the client, not server. From the ssh_config(5) man page:
NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3.
[...]
Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same strange behaviour as Mandrake:
MaxAuthTries 1
> ssh george@xxxxxxxxx
Received disconnect from 127.0.0.1: 2: Too many authentication failures for george
ie before I can enter a password!
... but, most likely, after the client has attempted some other authentication (eg hostbased or a key supplied by an agent).
Try "ssh -vvv yourserver" to see what it's doing and/or "ssh -o PreferredAuthentications=password yourserver" to force it to attempt only password auth.
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
