openssh unix dev - Jul 2006 - How to use SSH with Failed Login attempts and locking accounts

I have searched the FAQ's and have not seen an answer to this question.
I have also read the manuals for the SSH and have not found an answer to
this issue.

My question is this:

I am using openssh  (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on MP-RAS
Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for
any reason only 3 (three) times and then lock the account.  I can use
the option of FAILLIMIT=3 in the /etc/default/login file for telnet
sessions, and this will lock the account after three failed login
attempts by the user.  But this does not work for SSH.  I have also
placed the same option in the file of /etc/default/login.openssh with no
such luck.

	I have researched, googled and ran other internet searches for
this topic and have yet to find any answer.  Could someone help me with
this.  It is an audit requirement here, to start locking an account when
the user fails the login process, for any reason, after three attempts.

	Any help is appreciated.  Thanks in advance for the help.

Andy Hughes
Systems Programmer
Unix Systems
HCA Information Technology & Services

2555 Park Plaza
Bldg 4 - 2 East
Nashville, Tn.   37203-1512
t: 615-344-6961
f: 615-344-8384
p: 615-733-7562
pager(interactive): andy.hughes at my2way.com
e: andy.hughes at hcahealthcare.com
w: www.hcahealthcare.com

On Tue, 11 Jul 2006, Hughes Andy wrote:
> I have searched the FAQ's and have not seen an answer to this question.
> I have also read the manuals for the SSH and have not found an answer to
> this issue.
> 
> My question is this:
> 
> I am using openssh (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on
> MP-RAS Version 3.3.1.8 and 3.2 and I desire to allow a user to fail
> login for any reason only 3 (three) times and then lock the account. I
> can use the option of FAILLIMIT=3 in the /etc/default/login file for
> telnet sessions, and this will lock the account after three failed
> login attempts by the user. But this does not work for SSH. I have
> also placed the same option in the file of /etc/default/login.openssh
> with no such luck.
I don't think any of the developers has access to MP-RAS, much less
implemented OpenSSH support for account lockin on it.

If you are interested in implementing better support for MP-RAS, then
see if you can dig out some documentation of how the FAILLIMIT is
implemented, and any system APIs for working with it.

As a last resort you might be able to set UseLogin in sshd_config, which
will cause sshd to call /usr/bin/login directly and will hopefully
inherit whatever authorisation controls that it supports.

-d

Hughes Andy wrote:
> I am using openssh  (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on MP-RAS
> Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for
> any reason only 3 (three) times and then lock the account.
That is a very bad idea for many reasons.  If you search around you
will find references to denial of service attacks due to
configurations such as what you propose.  The basic problem is that an
attacker will disable the account for a valid user.

Why do you want to do this?  It is computationally infeasible to brute
force through a password cracking attempt from the remote interface.

Bob