Gents, I have a AIX 6.1 TL2 server using Quest/Vintela Authentication Services(QAS) for users authentication and I'm also using a openssh version provided by Quest (http://rc.quest.com/topics/openssh/). When a AIX user's unsuccessful_login_count is greater than 5 the user is not able to login via telnet BUT if he tries to login via SSH it works on the second try. The user's unsuccessful_login_count by the time that he tries to login for the first time, At the time that he tries the second time, no troubles are found and he succeed to log in. When running the SSH server on debug mode the following entries can be seen: … Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 39992 ssh2 debug3: AIX/setauthdb set registry 'VAS' debug1: loginsuccess(): The file access permissions do not allow the specified action. debug3: aix_restoreauthdb: restoring old registry '' monitor_child_preauth: authenticated invalid user debug1: do_cleanup debug1: do_cleanup … On the syslog file the following can be seen: Oct 2 13:05:05 servername auth|security:info sshd[409648]: Login restricted for username: There have been too many unsuccessful login attempts; please see \tthe system administrator. Oct 2 13:05:05 servername auth|security:info sshd[409648]: Failed none for invalid user username from 127.0.0.1 port 40139 ssh2 Oct 2 13:05:11 servername auth|security:info sshd[409648]: vasaix: Authentication <succeeded> for <Active Directory> user: <username> account: <username@xxxxxxxxxxx> service: <AIX LAM> reason: <N/A> Oct 2 13:05:11 servername auth|security:info sshd[409648]: Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 40139 ssh2 Oct 2 13:05:11 servername auth|security:crit sshd[409648]: fatal: monitor_child_preauth: authenticated invalid user The logs shows the user being validated by Vintela but AIX doesn't let him in. After this SSH unsuccessful operation the user's unsuccessful_login_count is set to 0 by SSH. Now I ask to the list: Is the interaction between SSH and AIX supposed to be like that, I mean, was SSH suppose to ignore the unsuccessful_login_count on AIX and just reset it? If SSH is going to reset the user's unsuccessful_login_count why the user is not able to login in the first try? Any reply will be greatly appreciated. Best regards, Jackson ____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
