On Thu, Jun 26, 2008 at 07:38:26AM -0700, wc wong wrote:
> I'm using OpenSSH version 4.6p1. I also use -lbsm flag when running
> configure to enable Solaris 10's BSM.
Are you also using PAM?
> I notice that the none method failure is counted in /etc/shadow
> as a failed login, but the successful of the publickey method is
> not decrementing the failed login count in /etc/shadow. Hence
> resulting in the user account eventually being locked with a few
> ssh using publickey authentication as described below.
[...]
> sshd[743]: Failed none for xxxx from a.b.c.d port xxxx ssh2
> I understand that is required as the first step in SSHV2 authentication.
Actually, it's not strictly required but most clients do it.
[...]
> I wonder if there is any way to skip returning this "none" failure to
> the Solaris OS resulting in the fail login count being incremented.
About "none", the spec says something along the lines of "if the
sessions requires no further authentication the return success,
otherwise return a list of authentication methods that can continue".
The way OpenSSH's sshd implements this is that it tries a passsword
authentication with an empty password, and I suspect this is what's
tripping your failure counters. If this is what's happening, You
can prevent this by setting "PermitEmptyPasswords no" in sshd_config.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
