bugzilla-daemon at mindrot.org
2006-Jul-05 14:52 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 Summary: unsuccessful_login_count gets incremented by scp Product: Portable OpenSSH Version: 4.3p1 Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P1 Component: scp AssignedTo: bitbucket at mindrot.org ReportedBy: johntmills at yahoo.com On AIX 5.2 unsuccessful_login_count is incremented by scp because loginsuccess is not run. ssh will run the loginsuccess but scp does not. Since lastlog is not reset users can lock themselves out of the system via our max failure checks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Jul-05 15:02 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 ------- Comment #1 from johntmills at yahoo.com 2006-07-06 01:02 ------- Created an attachment (id=1153) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1153&action=view) Config.log from openssh 4.3p1, openssl 0.9.8 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Jul-05 15:14 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 ------- Comment #2 from johntmills at yahoo.com 2006-07-06 01:14 ------- root> ssh posidon "lsuser -R LDAP jtm" jtm ... unsuccessful_login_count=0 rolesroot> touch /tmp/jtm root> chown jtm /tmp/jtm root> scp /tmp/jtm jtm at posidon:/home/jtm/ jtm at posidon's password: jtm 100% 16KB 0.0KB/s 00:00 root> ssh posidon "lsuser -R LDAP jtm" jtm ... unsuccessful_login_count=1 roles ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Jul-06 00:38 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |1155 nThis| | Status|NEW |ASSIGNED Component|scp |sshd ------- Comment #3 from dtucker at zip.com.au 2006-07-06 10:38 ------- The problem is not with scp but with sshd (since scp invokes ssh which in turn talks to sshd. The difference is that loginsuccess is only called as part of the login recording, which only happens for "interactive" logins (ie ones where you get a pty). You should see the same thing if, instead of scp, you ran something like "ssh yourserver true" and checked the failed login count afterward. Not sure what to do about it, though. We can call loginsuccess immediately after successful authentication but that will mean calling it a second time when the pty is allocated. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Jul-07 12:46 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 ------- Comment #4 from johntmills at yahoo.com 2006-07-07 22:46 ------- (In reply to comment #3) You should see the same thing if, instead of scp, you> ran something like "ssh yourserver true" and checked the failed login > count afterward.This is confirmed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Jul-07 23:28 UTC
[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207 ------- Comment #5 from dtucker at zip.com.au 2006-07-08 09:28 ------- Created an attachment (id=1157) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1157&action=view) Always call loginsuccess immediately after authentication. This patch should fix your immediate problem. It's probably not ideal as it will result in two audit records for an interactive login (not sure if that matters as I don't use AIX auditing). I would be interested to hear from anyone who does use AIX's audit facility. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 1207] sshd does not clear unsuccessful login count on non-interactive logins
- Annonymous access guest ok = yes
- OpenSSH 3.7.1p2 AIX loginsuccess() issue
- [Bug 3639] New: server thread aborts during client login after receiving SSH2_MSG_KEXINIT
- [Bug 355] No last login message with PrivSep under AIX