-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any way to disable logging of failures during pam_authenticate? I ask because OpenSSH is currently generating an extra "authentication failure..." message at each login. The problem is that OpenSSH likes to try a blank password attempting any other authentication. This is a shortcut for anonymous SSH servers (e.g. OpenBSD's CVS repositories). I expect that this test will fail in the vast majority of cases, but it speeds things up significantly when it succeeds. A way to disable authentication failure delays on a per-function call basis would be great as well. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE4ZYKRormJ9RG1dI8RAt65AKDQnVI8AClZFOcz1qVhxyPbGHNjXwCY8cNS oLQgydP3KgSJVNZRsQ8e0w==5qe6 -----END PGP SIGNATURE-----
P? 1999-Dec-26 klokka 13:50:53 +1100 skrivet Damien Miller: : A way to disable authentication failure delays on a per-function call : basis would be great as well. Look at: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html and search for `pam_fail_delay' and see if that isn't what you need for this. -- jim knoble jmknoble at pobox.com
On Sun, 26 Dec 1999, Damien Miller wrote:> Is there any way to disable logging of failures during > pam_authenticate?PAM does not have control over the logging process during pam_authenticate, that's left up to the individual modules. You may be able to turn logging off for individual modules; however--> The problem is that OpenSSH likes to try a blank password attempting > any other authentication. This is a shortcut for anonymous SSH servers > (e.g. OpenBSD's CVS repositories). I expect that this test will fail > in the vast majority of cases, but it speeds things up significantly > when it succeeds.wouldn't it be more reasonable to ask ssh to not try null passwords? There could be any number of modules that would be used in the PAM auth section, and all of them may have an opinion on what should be logged. Some of them may be well-behaved and let you disable logging, but then you've also disabled logging for any genuine attacks against you using that service. Perhaps, as with Samba's client utils, a commandline option could be added to openssh's client to specify the use of a null password? That way, you don't have to worry about prompts when the connection is scripted, and you get around the logging issue as well. -Steve Langasek postmodern programmer