openssh bugs - Jul 2006 - [Bug 1207] unsuccessful_login_count gets incremented by scp

http://bugzilla.mindrot.org/show_bug.cgi?id=1207

           Summary: unsuccessful_login_count gets incremented by scp
           Product: Portable OpenSSH
           Version: 4.3p1
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: major
          Priority: P1
         Component: scp
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: johntmills at yahoo.com


On AIX 5.2 unsuccessful_login_count is incremented by scp because
loginsuccess is not run.  ssh will run the loginsuccess but scp does
not.     Since lastlog is not reset users can lock themselves out of
the system via our max failure checks.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #1 from johntmills at yahoo.com  2006-07-06 01:02 -------
Created an attachment (id=1153)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1153&action=view)
Config.log from openssh 4.3p1, openssl 0.9.8




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #2 from johntmills at yahoo.com  2006-07-06 01:14 -------
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=0 rolesroot> touch /tmp/jtm
root> chown jtm /tmp/jtm
root> scp /tmp/jtm jtm at posidon:/home/jtm/
jtm at posidon's password:
jtm                                                                    
              100%   16KB   0.0KB/s   00:00   
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=1 roles



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1207


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |1155
              nThis|                            |
             Status|NEW                         |ASSIGNED
          Component|scp                         |sshd




------- Comment #3 from dtucker at zip.com.au  2006-07-06 10:38 -------
The problem is not with scp but with sshd (since scp invokes ssh which
in turn talks to sshd.

The difference is that loginsuccess is only called as part of the login
recording, which only happens for "interactive" logins (ie ones where
you get a pty).  You should see the same thing if, instead of scp, you
ran something like "ssh yourserver true" and checked the failed login
count afterward.

Not sure what to do about it, though.  We can call loginsuccess
immediately after successful authentication but that will mean calling
it a second time when the pty is allocated.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #4 from johntmills at yahoo.com  2006-07-07 22:46 -------
(In reply to comment #3)
 You should see the same thing if, instead of scp, you
> ran something like "ssh yourserver true" and checked the failed
login
> count afterward.
This is confirmed.  




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #5 from dtucker at zip.com.au  2006-07-08 09:28 -------
Created an attachment (id=1157)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1157&action=view)
Always call loginsuccess immediately after authentication.

This patch should fix your immediate problem.

It's probably not ideal as it will result in two audit records for an
interactive login (not sure if that matters as I don't use AIX
auditing).  I would be interested to hear from anyone who does use
AIX's audit facility.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.