K.Wolkersdorfer at fz-juelich.de
2001-May-16 15:56 UTC
openssh-2.9p1 bug: loginfailed() with AIX 4.3.3
Hi, first let me thank you for all the excellent work with openssh! Bug-Description (for AIX - current release 4.3.3 - only): During password-authentication if a user enters a wrong password, the failed attempt is not at all recorded in /etc/security/lastlog, although the loginfailed() subroutine in auth1.c is supposed to do that. Suggestion: In AIX the loginfailed() subroutine should be called if and only if the user enters a wrong password: From man loginfailed: ..."A login failure audit record is cut to indicate that an unsuccessful login attempt occurred. A utmp entry is appended to /etc/security/failedlogin file, which tracks all failed login attempts." ... So it seems that in auth1.c the loginfailed() subroutine is on the wrong place. It should be immediately after the password-authentication. Bug-Fix: The following fix works for us: ------------------------------------------------------------------------ diff auth1.c.orig auth1.c 266a267,272> #ifdef WITH_AIXAUTHENTICATE > if (!authenticated) > loginfailed(authctxt->user, > get_canonical_hostname(options.reverse_mapping_check), > "ssh"); > #endif /* WITH_AIXAUTHENTICATE */346,350d351 < #ifdef WITH_AIXAUTHENTICATE < loginfailed(authctxt->user, < get_canonical_hostname(options.reverse_mapping_check), < "ssh"); < #endif /* WITH_AIXAUTHENTICATE */ ------------------------------------------------------------------------- Many thanks for your attention and best regards from Germany Klaus -- Klaus Wolkersdorfer (K.Wolkersdorfer at fz-juelich.de) Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579 John von Neumann - Institute for Computing (NIC) Fax: -6656 Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany
K.Wolkersdorfer at fz-juelich.de
2001-May-21 14:08 UTC
openssh-2.9p1 bug: loginfailed() with AIX 4.3.3
Hi, first let me thank you for all the excellent work with openssh! Bug-Description (for AIX - current release 4.3.3 - only): During password-authentication if a user enters a wrong password, the failed attempt is not at all recorded in /etc/security/lastlog, although the loginfailed() subroutine in auth1.c is supposed to do that. Suggestion: In AIX the loginfailed() subroutine should be called if and only if the user enters a wrong password: From man loginfailed: ..."A login failure audit record is cut to indicate that an unsuccessful login attempt occurred. A utmp entry is appended to /etc/security/failedlogin file, which tracks all failed login attempts." ... So it seems that in auth1.c the loginfailed() subroutine is on the wrong place. It should be immediately after the password-authentication. Bug-Fix: The following fix works for us: ------------------------------------------------------------------------ diff auth-passwd.c.orig auth-passwd.c 151c151,160 < return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); ---> { int iau; > iau = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); > debug("auth-passwd (FZJ-authenticate): rc: %d msg: %s", iau,authmsg);> if (iau) > return 1; > loginfailed(authctxt->user, > get_canonical_hostname(options.reverse_mapping_check), > "ssh"); > return 0; > }------------------------------------------------------------------------- Many thanks for your attention and best regards from Germany Klaus -- Klaus Wolkersdorfer (K.Wolkersdorfer at fz-juelich.de) Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579 John von Neumann - Institute for Computing (NIC) Fax: -6656 Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany