pam_abl and sshd MaxAuthTries strangeness (was Re: pam_tally with sshd: ssh password-based failures not tally'd)

George Hansper george-lists at anstat.com.au
Mon Jan 10 04:40:51 UTC 2005 

I've tried the options PreferredAuthentications=password and NumberOfPasswordPrompts=10
and I seem to get consistant behaviour (for now):

With:
	ssh -o PreferredAuthentications=password NumberOfPasswordPrompts=10   127.0.0.1
and
	MaxAuthTries 1

I get TWO tries at entering the password, and pam_abl registers ONE failed login.

In general, it seems for 'MaxAuthTries N', I get N+1 tries at the password,
and pam_abl increments by ONE failed login.

With:
	ssh -o PreferredAuthentications=publickey,password   127.0.0.1

I get N tries at entering the password, and pam_abl registers ONE failed login

On Fedora Core 3, I also had "GSSAPIAuthentication yes' in /etc/ssh/sshd_config,
which gave the result (using 'ssh -vvv ...'):

	debug1: Authentications that can continue: publickey,gssapi-with-mic,password

With 'MaxAuthTries 1', the 2 tries permitted were being used up before I could enter
a password.

If no password was entered this did NOT register as a failed password for pam_abl.
This gives rises to the possibilty of a publickey ssh attack, which is not picked up by pam_abl.
Is there some way to make failed publickey logins register with pam_abl?

Although I understand what was happening now, I did find it confusing at the time.

Firstly, that 'MaxAuthTries N' allows up to N+1 authentication attempts (across all methods),
and secondly, that try-once-and-give-up methods like 'publickey' are included
in this count.

It might be more useful to end-users to have separate controls in /etc/ssh/sshd_config
for the different methods - eg MaxAuthTriesPassword, MaxAuthTriesPublickey etc.

So in order to get pam_abl to count "real" login attempts (or as close a possible):

a) MaxAuthTries 0
       and disable all other authentication methods
    PubkeyAuthentication no
    GSSAPIAuthentication no
    KerberosAuthentication no

b) Increment MaxAuthTries by one for each of the alternate authentication mechansims
    which are enabled, and live with the possibility that a user can get
    2 or more password attempts by using:
	ssh -o PreferredAuthentications=password ...

It doesn't negate the usefulness of pam_abl, but it does make the limits
in the config a little "rubbery".

Thanks for the tips on ssh,
	George Hansper

Darren Tucker wrote:
> George Hansper wrote:
> 
>> George Hansper wrote:
> 
> [...]
> 
>>>    For Mandrake 10.1, 'MaxAuthTries N' allows 'N+1' tries, and never 
>>> allows more than 3 tries anyway.
> 
> 
> That a feature of the client, not server.  From the ssh_config(5) man page:
> 
>  NumberOfPasswordPrompts
>      Specifies the number of password prompts before giving up.  The
>      argument to this keyword must be an integer.  Default is 3.
> 
> [...]
> 
>> Fedora Core 3 (openssh-server 3.9p1-7) has started giving me the same
>> strange behaviour as Mandrake:
>>
>>     MaxAuthTries 1
>>
>>  > ssh george at 127.0.0.1
>> Received disconnect from 127.0.0.1: 2: Too many authentication 
>> failures for george
>>
>> ie before I can enter a password!
> 
> 
> ... but, most likely, after the client has attempted some other 
> authentication (eg hostbased or a key supplied by an agent).
> 
> Try "ssh -vvv yourserver" to see what it's doing and/or "ssh -o 
> PreferredAuthentications=password yourserver" to force it to attempt 
> only password auth.
>

More information about the Pam-list mailing list