bugzilla-daemon at mindrot.org
2024-Dec-13 09:05 UTC
[Bug 3766] New: openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766
Bug ID: 3766
Summary: openssh PerSourcePenalties and pam_nologin interaction
Product: Portable OpenSSH
Version: 9.8p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: travier at redhat.com
Issue:
Repeated connections attempt to a system before it is ready (i.e.
during boot, while `/run/nologin` still exists) will count as failed
connection attempts and will trigger the PerSourcePenalties logic in
openssh.
Expected behavior:
Connections rejected by pam_nologin should not count as a penalty for
the PerSourcePenalties penalty option in openssh.
Links:
The PerSourcePenalties option has been added in OpenSSH 9.8:
- https://www.openssh.com/txt/release-9.8
- https://man.openbsd.org/sshd_config#PerSourcePenalties
How to reproduce:
- Using openssh 9.8p1 from Fedora 41, on a system with pam support
enabled in sshd config
- Boot a system with a service ordered before
systemd-user-sessions.service and that will take a bit of time
- Attempt to connect to the system via SSH regularly during boot
- After a few failed connections attempts, those will be denied for a
few seconds, and then will be allowed again, making it looks like the
system is taking longer than expected to come up
Logs:
Dec 12 09:20:57 localhost.localdomain systemd[1]: Starting sshd.service
- OpenSSH server daemon...
Dec 12 09:20:57 localhost.localdomain (sshd)[1050]: sshd.service:
Referenced but unset environment variable evaluates to an empty string:
OPTIONS
Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on
0.0.0.0 port 22.
Dec 12 09:20:57 localhost.localdomain sshd[1050]: Server listening on
:: port 22.
Dec 12 09:20:57 localhost.localdomain systemd[1]: Started sshd.service
- OpenSSH server daemon.
Dec 12 09:20:57 localhost.localdomain sshd-session[1106]: Connection
closed by 192.168.127.1 port 35348
Dec 12 09:20:57 localhost.localdomain sshd-session[1105]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:58 localhost.localdomain sshd-session[1159]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:58 localhost.localdomain sshd-session[1164]: Connection
closed by 192.168.127.1 port 35351
Dec 12 09:20:58 localhost.localdomain sshd-session[1165]: fatal: Access
denied for user core by PAM account configuration [preauth]
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35353 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35354 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:20:59 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35355 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:00 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35356 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35357 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35358 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:01 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35359 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:02 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35360 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:03 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35361 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:04 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35362 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35363 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35364 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:05 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35365 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:06 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35366 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:07 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35367 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:08 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35368 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:09 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35369 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:10 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35370 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:11 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35371 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:12 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35372 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35373 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35374 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:13 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35375 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:14 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35376 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:15 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35377 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:16 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35378 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:17 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35379 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:18 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35380 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:19 localhost.localdomain sshd[1050]: drop connection #0
from [192.168.127.1]:35381 on [192.168.127.2]:22 penalty: failed
authentication
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]: Accepted
publickey for core from 192.168.127.1 port 35382 ssh2: ED25519
SHA256:E0ty9Qq3PssWY7boh8+9BKC3uIC7HpwCTgOr29E1K1I
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]:
pam_systemd(sshd:session): New sd-bus connection
(system-bus-pam-systemd-1329) opened.
Dec 12 09:21:20 localhost.localdomain sshd-session[1329]:
pam_unix(sshd:session): session opened for user core(uid=501) by
core(uid=0)
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-13 09:06 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 --- Comment #1 from Timoth?e Ravier <travier at redhat.com> --- We've seen this issue on aarch64 but this likely applies to all architectures. See: https://github.com/containers/podman-machine-os/pull/52 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-14 02:35 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
why not delay starting sshd until the system is ready for logins?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-16 14:52 UTC
[Bug 3766] openssh PerSourcePenalties and pam_nologin interaction
https://bugzilla.mindrot.org/show_bug.cgi?id=3766 --- Comment #3 from Timoth?e Ravier <travier at redhat.com> --- That's indeed option that should work with the full service case (sshd.service) but likely won't with the inetd-like case (sshd.socket) as the sockets are created early in the boot process. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 76414] New: [NVE4] Flash player triggers freeze with: PFIFO: read fault at ... [UNSUPPORTED_KIND] from PBDMA0/HOST ...
- PerSourcePenalties and ssh-copy-id
- PerSourcePenalties and ssh-copy-id
- [PATCH 1/4] pm/fan: drop the fan lock in fan_update() before rescheduling
- PerSourcePenalties and ssh-copy-id