On Fri, Jun 27, 2008 at 12:06:33PM -0700, wc wong wrote:
> I tried "PermitEmptyPasswords no" and the failure count did not
> increase. Unfortunately, our server has to use "PermitEmptyPasswords
> yes" for some user access. Hence we need to find another solution
> to inform the OS of the success of the pubkey authentication so
> that the failure count will be reset for a successful pubkey
> authentication. It would be great if this solution can be implemented
> in OpenSSH.
Unfortunately I don't think that's possible with the existing PAM APIs.
The only other possible solutions I can think of:
* The nullok option which someone mentioned to me in private mail. I think
this is specific to LinuxPAM, though.
* If you can do without it, don't enable PAM support in sshd.
* If your module can be made to work that way, have it clear the failed
login count in the "session" stack.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
