On Jul 11, 2006, at 8:21 PM, openssh-unix-dev-request at mindrot.org wrote:
> Date: Tue, 11 Jul 2006 15:50:22 -0500
> From: "Hughes Andy" <Andy.Hughes at HCAHealthcare.com>
> Subject: How to use SSH with Failed Login attempts and locking
> accounts
> To: <openssh-unix-dev at mindrot.org>
> Message-ID:
> <273CACD967F9BC47B023F758ACBC3A8C075855F4 at NASEV06.hca.corpad.net>
> Content-Type: text/plain; charset="us-ascii"
>
> I have searched the FAQ's and have not seen an answer to this
> question.
> I have also read the manuals for the SSH and have not found an
> answer to
> this issue.
I feel the rage of Theo stirring inside me... must .....
resist ...... the ...... impulse ..... aahh. Better now.
http://groups.google.com/group/mailing.unix.openssh-dev/about
> My question is this:
>
> I am using openssh (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on
> MP-RAS
MP-RAS? Y2K? Won't they support Solaris x86? I'll bet you can buffer
overflow the crap out of MP-RAS! It makes me want to get back to work
on my fuzzer!
> Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for
> any reason only 3 (three) times and then lock the account. I can use
> the option of FAILLIMIT=3 in the /etc/default/login file for telnet
> sessions, and this will lock the account after three failed login
> attempts by the user. But this does not work for SSH. I have also
> placed the same option in the file of /etc/default/login.openssh
> with no
> such luck.
By default, ssh does not call login(3). Find that in the docs under
UseLogin. Please Google that also.
FYI: Automatic lockout allows anyone to lock out any account by
guessing or knowing the name. This actually makes another easier way
for malicious gremlins to abuse your systems. My favorite prank is to
scratch out a fake warning to someone that they've been fired and
then lock out their account... no, I would NEVER do that...
> this. It is an audit requirement here, to start locking an account
> when
> the user fails the login process, for any reason, after three
> attempts.
I always thought an audit was a fact-finding pursuit. If I were you,
I would pursue a CBA for automatic lockouts. If you don't really need
them to conduct your business then you should keep all accounts
locked and only enable them during controlled change windows. If you
do really need these accounts to support your business, then your
security policy should not lock your accounts. The programmers on
this list are famously paranoid and prudent about security. You might
ask yourself why this feature hasn't already been implemented and
widely used if it were a good idea?
> Any help is appreciated. Thanks in advance for the help.
Also, you probably don't want to use login(3). I strongly encourage
you to seek an implementation of pam_tally if I cannot discourage
this automatic lockout craziness.