bugzilla-daemon at mindrot.org
2024-Dec-13 09:05 UTC
[Bug 3766] New: openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Bug ID: 3766 Summary: openssh PerSourcePenalties and pam_nologin interaction Product: Portable OpenSSH Version: 9.8p1 Hardware: ARM64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: travier at redhat.com Issue: Repeated connections attempt to a system before it is ready (i.e. during boot, while `/run/nologin` still exists) will count as failed connection attempts and will trigger the PerSourcePenalties logic in openssh. Expected behavior: Connections rejected by pam_nologin should not count as a penalty for the PerSourcePenalties penalty option in openssh. Links: The PerSourcePenalties option has been added in OpenSSH 9.8: - https://www.openssh.com/txt/release-9.8 - https://man.openbsd.org/sshd_config#PerSourcePenalties How to reproduce: - Using openssh 9.8p1 from Fedora 41, on a system with pam support enabled in sshd config - Boot a system with a service ordered before systemd-user-sessions.service and that will take a bit of time - Attempt to connect to the system via SSH regularly during boot - After a few failed connections attempts, those will be denied for a few seconds, and then will be allowed again, making it looks like the system is taking longer than expected to come up Logs: Dec 12 09:20:57 localhost.localdomain systemd[1]: Starting sshd.service - OpenSSH server daemon... Dec 12 09:20:57 localhost.localdomain (sshd)[1050]: sshd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on 0.0.0.0 port 22. Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on :: port 22. Dec 12 09:20:57 localhost.localdomain systemd[1]: Started sshd.service - OpenSSH server daemon. Dec 12 09:20:57 localhost.localdomain sshd-session[1106]: Connection closed by 192.168.127.1 port 35348 Dec 12 09:20:57 localhost.localdomain sshd-session[1105]: fatal: Access denied for user core by PAM account configuration [preauth] Dec 12 09:20:58 localhost.localdomain sshd-session[1159]: fatal: Access denied for user core by PAM account configuration [preauth] Dec 12 09:20:58 localhost.localdomain sshd-session[1164]: Connection closed by 192.168.127.1 port 35351 Dec 12 09:20:58 localhost.localdomain sshd-session[1165]: fatal: Access denied for user core by PAM account configuration [preauth] Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35353 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35354 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35355 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:00 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35356 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35357 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35358 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35359 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:02 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35360 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:03 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35361 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:04 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35362 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35363 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35364 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35365 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:06 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35366 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:07 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35367 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:08 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35368 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:09 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35369 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:10 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35370 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:11 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35371 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:12 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35372 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35373 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35374 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35375 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:14 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35376 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:15 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35377 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:16 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35378 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:17 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35379 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:18 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35380 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:19 localhost.localdomain sshd[1050]: drop connection #0 from [192.168.127.1]:35381 on [192.168.127.2]:22 penalty: failed authentication Dec 12 09:21:20 localhost.localdomain sshd-session[1329]: Accepted publickey for core from 192.168.127.1 port 35382 ssh2: ED25519 SHA256:E0ty9Qq3PssWY7boh8+9BKC3uIC7HpwCTgOr29E1K1I Dec 12 09:21:20 localhost.localdomain sshd-session[1329]: pam_systemd(sshd:session): New sd-bus connection (system-bus-pam-systemd-1329) opened. Dec 12 09:21:20 localhost.localdomain sshd-session[1329]: pam_unix(sshd:session): session opened for user core(uid=501) by core(uid=0) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-13 09:06 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 --- Comment #1 from Timoth?e Ravier <travier at redhat.com> --- We've seen this issue on aarch64 but this likely applies to all architectures. See: https://github.com/containers/podman-machine-os/pull/52 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-14 02:35 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- why not delay starting sshd until the system is ready for logins? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-16 14:52 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 --- Comment #3 from Timoth?e Ravier <travier at redhat.com> --- That's indeed option that should work with the full service case (sshd.service) but likely won't with the inetd-like case (sshd.socket) as the sockets are created early in the boot process. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 76414] New: [NVE4] Flash player triggers freeze with: PFIFO: read fault at ... [UNSUPPORTED_KIND] from PBDMA0/HOST ...
- PerSourcePenalties and ssh-copy-id
- PerSourcePenalties and ssh-copy-id
- [PATCH 1/4] pm/fan: drop the fan lock in fan_update() before rescheduling
- PerSourcePenalties and ssh-copy-id