| Summary: | sshd fails to increment AIX login failed counter | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Mandar Mirashi <mandar> | ||||
| Component: | sshd | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | security | CC: | berry.perzon | ||||
| Priority: | P1 | ||||||
| Version: | -current | ||||||
| Hardware: | Other | ||||||
| OS: | AIX | ||||||
| Attachments: |
|
||||||
Realized the option structure member name has changed with 3.1p1...new diff for
auth.c attached:
# diff -rc auth.c auth.c.old
*** auth.c Thu Mar 7 16:55:14 2002
--- auth.c.old Mon Mar 4 20:42:43 2002
***************
*** 231,242 ****
get_remote_ipaddr(),
get_remote_port(),
info);
-
- #ifdef WITH_AIXAUTHENTICATE
- if (authenticated == 0 && strcmp(method, "password") == 0)
- loginfailed(authctxt->user, get_canonical_hostname
(options.verify_reverse_mapping), "ssh");
- #endif /* WITH_AIXAUTHENTICATE */
-
}
/*
--- 231,236 ----
And what should be the right patch? Please use attachments. - Ben Created attachment 116 [details]
Merge all previous patches and diff against -cvs
I think I get it now: loginfailed() isn't called until the number of failures for a given child process is greater than AUTH_FAIL_MAX (currently defined as 6). Since ssh gives up after 3 password attempts (plus a couple of public-key?), loginfailed is never called and the counter is never incremented. Reconnecting to sshd gives a new child and the count starts again. Repeat. I've tested the above patch and confirmed working lockout with it (and lack thereof without) on AIX 4.3.3 ML0. The code deleted from auth[12].c was marked with /* XXX: privsep */ but I'm not sure what this indicates. Clues? Applied. Reopen w/ new patch if more problems are found. Applied. Reopen w/ new patch if more problems are found. *** Bug 349 has been marked as a duplicate of this bug. *** Mass change of RESOLVED bugs to CLOSED |
Failed password attempts fail to increment the default AIX loginretries counter. This can be used as a password crack exploit on AIX boxes. Fixes to auth1.c, auth2.c, auth.c - # diff -rc auth.c.old auth.c *** auth.c.old Mon Mar 4 20:42:43 2002 --- auth.c Thu Mar 7 14:46:40 2002 *************** *** 231,236 **** --- 231,242 ---- get_remote_ipaddr(), get_remote_port(), info); + + #ifdef WITH_AIXAUTHENTICATE + if (authenticated == 0 && strcmp(method, "password") == 0) + loginfailed(authctxt->user, get_canonical_hostname (options.reverse_mapping_check), "ssh"); + #endif /* WITH_AIXAUTHENTICATE */ + } /* # diff -rc auth1.c.old auth1.c *** auth1.c.old Thu Feb 14 04:39:50 2002 --- auth1.c Thu Mar 7 14:42:34 2002 *************** *** 337,347 **** return; if (authctxt->failures++ > AUTH_FAIL_MAX) { - #ifdef WITH_AIXAUTHENTICATE - loginfailed(authctxt->user, - get_canonical_hostname (options.verify_reverse_mapping), - "ssh"); - #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } --- 337,342 ---- # diff -rc auth2.c.old auth2.c *** auth2.c.old Tue Feb 26 13:09:43 2002 --- auth2.c Thu Mar 7 14:42:42 2002 *************** *** 262,272 **** authctxt->success = 1; } else { if (authctxt->failures++ > AUTH_FAIL_MAX) { - #ifdef WITH_AIXAUTHENTICATE - loginfailed(authctxt->user, - get_canonical_hostname (options.verify_reverse_mapping), - "ssh"); - #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } methods = authmethods_get(); --- 262,267 ----