openssh bugs - Jun 2014 - [Bug 2249] New: sshd ignores PAM_MAXRETRIES pam return value

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

            Bug ID: 2249
           Summary: sshd ignores PAM_MAXRETRIES pam return value
           Product: Portable OpenSSH
           Version: 6.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: matthijs at stdin.nl

pam_unix contains a hardcoded max retries value of 3. After 3 failed
attempts, it starts to return PAM_MAXRETRIES instead of the normal
failure status. According to the pam_authenticate(3) manpage:

PAM_MAXTRIES
One or more of the authentication modules has reached its limit of
tries authenticating the user. Do not try again.

However, it seems that sshd ignores this and does try again. Pam keeps
a count of failed attempts and on cleanup, when this count is higher
than the max retries, it emits a message to syslog:

Jun 24 02:23:42 login sshd[4821]: PAM service(sshd) ignoring max
retries; 6 > 3        

This can be worked around by setting AuthMaxTries to 3 in sshd_config,
but it seems that sshd should really listen to pam and handle the
PAM_MAXRETRIES result by not allowing further retries.

I've observed this behaviour on 6.0p1, but looking at the source for
6.6p1 it looks like PAM_RETRIES isn't handled there either. I couldn't
find an easy way to browse the most current VCS version, so I didn't
check there.

See also:
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n297
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n803
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c#n353

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

--- Comment #1 from Matthijs Kooijman <matthijs at stdin.nl> ---
It seems things are a bit less obvious when I thought. When I try to
reproduce the log message by trying to log in with dummy passwords, it
seems sshd kicks me out after 3 tries:

Jun 25 13:26:12 login sshd[6762]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruserrhost=84-245-29-136.dsl.cambrium.nl 
user=root
Jun 25 13:26:14 login sshd[6762]: Failed password for root from
84.245.29.136 port 44444 ssh2
Jun 25 13:26:16 login sshd[6762]: Failed password for root from
84.245.29.136 port 44444 ssh2
Jun 25 13:26:18 login sshd[6762]: Failed password for root from
84.245.29.136 port 44444 ssh2
Jun 25 13:26:18 login sshd[6762]: Connection closed by 84.245.29.136
[preauth]
Jun 25 13:26:18 login sshd[6762]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruserrhost=84-245-29-136.dsl.cambrium.nl 
user=root

This log suggests that the client actually closed the connection, not
the server. Is there perhaps some limit builtin to the ssh client?


I also see this in my logs, presumably from a password bruteforcer that
might be violating the SSH protocol?

Jun 25 11:28:58 login sshd[6419]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.168 
user=root
Jun 25 11:29:01 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:03 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:05 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:07 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:09 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:12 login sshd[6419]: Failed password for root from
116.10.191.168 port 37803 ssh2
Jun 25 11:29:12 login sshd[6419]: Disconnecting: Too many
authentication failures for root [preauth]
Jun 25 11:29:12 login sshd[6419]: PAM 5 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.168  user=root
Jun 25 11:29:12 login sshd[6419]: PAM service(sshd) ignoring max
retries; 6 > 3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2832|ok?(djm at mindrot.org)        |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
             Blocks|                            |2543

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
The patch has been committed and will be in the 7.3p1 release.  Thanks.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

--- Comment #6 from Darren Tucker <dtucker at zip.com.au> ---
https://anongit.mindrot.org/openssh.git/commit/?id=01558b7b07af43da774d3a11a5c51fa9c310849d

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2249

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.