Daniel Neuberger
2013-Jun-07 13:25 UTC
pam_tally2 reset problems with many simultaneous connections
All, (Sorry if this is a repost, I tried without being a subscriber and saw nothing after a day, so I'm trying again after subscribing). I think this is a problem with how sshd uses PAM. Basic scenario: - sshd is configured to use PAM with pam_tally2 - Multiple clients try connecting within a small time frame - Some of the clients fail to authenticate The problem is that the tally is incremented for every authentication, but isn't necessarily reset for successful authentications before another client tries to authenticate. So it goes something like this: - Client A authenticates successfully, but doesn't yet reset the tally - Client B tries to authenticate, but gets locked out for 10 seconds - Client C tries to authenticate, but gets locked out for 10 seconds - Client D tries to authenticate, but then the account is locked entirely - Client A finally resets the tally in the account phase - Client B tries again and authenticates successfully So, if a server is under load with many sftp connections, you'll see lots of logs even though everything eventually succeeds. I'm on RHEL 5.5 with openssh-server-4.3p2-41.el5 and pam-0.99.6.2-6.el5_4.1. I'm using pam_tally2 in the auth and account phases: #%PAM-1.0 ... auth requisite pam_tally2.so deny=3 lock_time=10 unlock_time=900 ... account required pam_tally2.so ... I'm guessing the problem is that sshd doesn't call pam_setcred correctly as stated in the pam_tally2 man page: "Account phase resets attempts counter if the user is not magic root. This phase can be used optionally for services which don't call pam_setcred(3) correctly or if the reset should be done regardless of the failure of the account phase of other modules." We had a similar problem with vsftpd once and solved it by not using pam_tally2, but I don't really want to do that for sshd. Has anyone else run into this problem before or have any suggestions for solving it? I searched google, the mailing list, and the bug list and couldn't find anything. Thanks. - Daniel
Maybe Matching Threads
Wisdom of the Ancients
