On AIX 5.2 unsuccessful_login_count is incremented by scp because loginsuccess is not run. ssh will run the loginsuccess but scp does not. Since lastlog is not reset users can lock themselves out of the system via our max failure checks.
Created attachment 1153 [details] Config.log from openssh 4.3p1, openssl 0.9.8
root> ssh posidon "lsuser -R LDAP jtm" jtm ... unsuccessful_login_count=0 roles= root> touch /tmp/jtm root> chown jtm /tmp/jtm root> scp /tmp/jtm jtm@posidon:/home/jtm/ jtm@posidon's password: jtm 100% 16KB 0.0KB/s 00:00 root> ssh posidon "lsuser -R LDAP jtm" jtm ... unsuccessful_login_count=1 roles=
The problem is not with scp but with sshd (since scp invokes ssh which in turn talks to sshd. The difference is that loginsuccess is only called as part of the login recording, which only happens for "interactive" logins (ie ones where you get a pty). You should see the same thing if, instead of scp, you ran something like "ssh yourserver true" and checked the failed login count afterward. Not sure what to do about it, though. We can call loginsuccess immediately after successful authentication but that will mean calling it a second time when the pty is allocated.
(In reply to comment #3) You should see the same thing if, instead of scp, you > ran something like "ssh yourserver true" and checked the failed login > count afterward. This is confirmed.
Created attachment 1157 [details] Always call loginsuccess immediately after authentication. This patch should fix your immediate problem. It's probably not ideal as it will result in two audit records for an interactive login (not sure if that matters as I don't use AIX auditing). I would be interested to hear from anyone who does use AIX's audit facility.
Created attachment 1158 [details] Always call loginsuccess immediately after authentication + report previous correctly Same as patch # 1157 except it reports the previous login correctly. Please try this one instead.
Patch #1158 has been applied and will be in the 4.4p1 release. Thanks for the report.
With the release of 4.4, we believe that this bug is now closed. For information about the release please see http://www.openssh.com/txt/release-4.4 .