Bug 1237

Summary: Behaviour of openssh with pam_tally is very buggy
Product: Portable OpenSSH Reporter: dave <dave>
Component: PAM supportAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: djm
Priority: P2    
Version: 4.3p2   
Hardware: Other   
OS: Linux   

Description dave 2006-09-25 22:39:38 AEST 
This flavour of openssh doesn't support pam_tally very well, leading to the risk that users may find themselves locked out of other application - even with valid credentials, or may be able to access the system when the account should be locked out.

Base system: Fedora Core 5, added pam_tally lines to /etc/pam.d/system-auth as follows:
auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5
account required /lib/security/$ISA/pam_tally.so

This leads to the following buggy behaviour: (using password authentication)
1) The tally only increases once with each ssh session, not with each bad password (as the default is 3 tries before failure, this means I can get in 3 bad passwords for one tally).
2) The tally doesn't update properly, using /sbin/pam_tally unless I fail authentication using another mechanism (e.g. sudo) - try this order (deliberately using bad passwords):
ssh 127.0.0.1
/sbin/pam_tally (no entries)
sudo ls
/sbin/pam_tally (entry for sudo failure plus one for ssh)
3) SSH doesn't actually lock you out when you've gone over your tally limit - even though other services do.
Comment 1 dave 2006-09-26 00:23:16 AEST 
Forgot to add the fourth bug:
4) Use of a correct password doesn't reset the tally.
Comment 2 Darren Tucker 2006-09-29 20:28:32 AEST 
When you say "password authentication" do you mean SSH protocol password authentication?

ie does "ssh -o preferredauthentications=password server" behave as you're describing?
Comment 3 Damien Miller 2007-06-13 10:22:03 AEST 
8 months with no reply == no bug
Comment 4 dave 2007-06-14 16:14:40 AEST 
Great way of fixing a bug - ask whether "password" means "password" then close after 8 months without performing the checks included in the bug.

The magic words here are "password" and "pam"; in essence meaning ssh password authentication that uses pam (so in theory anything else that ssh uses to authenticate against pam).

Though it's a pretty moot point now - I've just retried the steps and at some point in the past 9 months somebody has fixed the buggy code.
Comment 5 Damien Miller 2007-06-14 21:36:20 AEST 
Nice of you to finally respond.

I asked because there are two protocol methods in SSH that allow password authentication: keyboard-interactive and password. Since you didn't see fit to attach a debug trace, I had to ask.
Comment 6 Damien Miller 2008-04-04 09:56:21 AEDT 
Close resolved bugs after release.