Hi David,
I'm sure loginfailed(..) should be called immediately after
authenticate(..) returned an error. It is directly related
to an invalid password try. (Please see my attached mail from May 2001
to the list).
I'm not so sure when loginsuccess(..) should be called
(setting the loginfailed counter to zero):
Either
1) when somebody logs in successfully using all kinds
of valid openssh-login mechanisms
or
2) when somebody logs in successfully WITH the correct password ONLY
Probably 2) would be correct, but we could live with 1) also
as it works now.
Best regards from Germany
Klaus
---------------------------------------------------------------------------
From: K.Wolkersdorfer at fz-juelich.de
Date: Mon, 21 May 2001 14:08:00 +0000
Reply-To: K.Wolkersdorfer at fz-juelich.de
To: openssh-unix-dev at mindrot.org
Subject: openssh-2.9p1 bug: loginfailed() with AIX 4.3.3
Hi,
first let me thank you for all the excellent work with openssh!
Bug-Description (for AIX - current release 4.3.3 - only):
During password-authentication if a user enters a wrong
password, the failed attempt is not at all recorded in
/etc/security/lastlog, although the loginfailed()
subroutine in auth1.c is supposed to do that.
Suggestion:
In AIX the loginfailed() subroutine should be called
if and only if
the user enters a wrong password:
From man loginfailed:
..."A login failure audit record is cut to indicate that
an unsuccessful login attempt occurred. A utmp entry
is appended to /etc/security/failedlogin file,
which tracks all failed login attempts." ...
So it seems that in auth1.c the loginfailed() subroutine
is on the wrong place. It should be immediately after
the password-authentication.
Bug-Fix:
The following fix works for us:
------------------------------------------------------------------------
diff auth-passwd.c.orig auth-passwd.c
151c151,160
< return
(authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
---> { int iau;
> iau =
(authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
> debug("auth-passwd (FZJ-authenticate): rc: %d msg: %s",
iau,
authmsg);> if (iau)
> return 1;
> loginfailed(authctxt->user,
> get_canonical_hostname(options.reverse_mapping_check),
> "ssh");
> return 0;
> }
-------------------------------------------------------------------------
--
Klaus Wolkersdorfer (K.Wolkersdorfer at fz-juelich.de)
Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579
John von Neumann - Institute for Computing (NIC) Fax: -6656
Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany
