Bug 908

Summary: AIX OpenSSH allows too many failing login attempts
Product: Portable OpenSSH Reporter: Matt Small <matt.small>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: ASSIGNED ---    
Severity: normal CC: defrayable
Priority: P2    
Version: -current   
Hardware: All   
OS: AIX   
Attachments:
Description Flags
proposed patch none

Description Matt Small 2004-07-31 09:22:22 AEST 
AIX allows per-user definitions for the maximum number of allowed login attempts
(defaulting to 3).  After that limit has been exceeded, the user is locked out,
and must be unlocked by an administrator.

Through OpenSSH, it is possible to get around this restriction, and make
additional login attempts.

To reproduce (assuming the system locks an account after 3 total failed
attempts, and assuming you have 3 attempts per ssh connection):
- start an ssh connection, fail your login twice, and exit out
- start a new session, fail twice, then enter the correct password, and you will
be accepted into the system (note that there were 4 failed attempts before the
successful login)



I believe the problem lies in how OpenSSH determines login permissions.  There
is an initial check made to ensure that the user can log in, but after that no
additional checks are made.  And once a successful login is made, the counter is
reset, incorrectly allowing future logins.

To fix this, the loginrestrictions() function (AIX-specific) needs to be checked
before each login attempt (_before_ a login is accepted).
Comment 1 Matt Small 2004-07-31 09:24:58 AEST 
Created attachment 696 [details]
proposed patch

With excellent comments and suggestions from Darren Tucker on my initial
version, this is a much improved patch (thankfully, the original need not see
the light of day).

It's against the 20040730 snapshot, and I've tested it on AIX 5.1.
Comment 2 Darren Tucker 2004-08-12 21:51:59 AEST 
I just tried that on 5.2 but it still allows the login after locking out the
account via telnet.  I suspect there's some kind of caching going on, but
neither setpwent/endpwent or setuserdb/enduserdb make a difference.
Comment 3 Matt Richards 2010-06-04 20:42:16 AEST 
Many years ago, I had a patch which used loginrestrictions and the AIX authenticate function which was incorporated into the source. Since then it seems to be only available with compile flag  -DCUSTOM_FAILED_LOGIN. It does honor login restrictions. Basically acts as telnet (ie resetting the failed login if under the limit of failed logins).