openssh bugs - Sep 2006 - [Bug 1237] Behaviour of openssh with pam_tally is very buggy

http://bugzilla.mindrot.org/show_bug.cgi?id=1237

           Summary: Behaviour of openssh with pam_tally is very buggy
           Product: Portable OpenSSH
           Version: 4.3p2
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: dave at cirt.net


This flavour of openssh doesn't support pam_tally very well, leading to
the risk that users may find themselves locked out of other application
- even with valid credentials, or may be able to access the system when
the account should be locked out.

Base system: Fedora Core 5, added pam_tally lines to
/etc/pam.d/system-auth as follows:
auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5
account required /lib/security/$ISA/pam_tally.so

This leads to the following buggy behaviour: (using password
authentication)
1) The tally only increases once with each ssh session, not with each
bad password (as the default is 3 tries before failure, this means I
can get in 3 bad passwords for one tally).
2) The tally doesn't update properly, using /sbin/pam_tally unless I
fail authentication using another mechanism (e.g. sudo) - try this
order (deliberately using bad passwords):
ssh 127.0.0.1
/sbin/pam_tally (no entries)
sudo ls
/sbin/pam_tally (entry for sudo failure plus one for ssh)
3) SSH doesn't actually lock you out when you've gone over your tally
limit - even though other services do.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1237





------- Comment #1 from dave at cirt.net  2006-09-26 00:23 -------
Forgot to add the fourth bug:
4) Use of a correct password doesn't reset the tally.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1237


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




------- Comment #2 from dtucker at zip.com.au  2006-09-29 20:28 -------
When you say "password authentication" do you mean SSH protocol
password authentication?

ie does "ssh -o preferredauthentications=password server" behave as
you're describing?




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.