1237 – Behaviour of openssh with pam_tally is very buggy

Bug 1237 - Behaviour of openssh with pam_tally is very buggy

Summary: Behaviour of openssh with pam_tally is very buggy

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	PAM support (show other bugs)
Version:	4.3p2
Hardware:	Other Linux

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-09-25 22:39 AEST by dave
Modified:	2008-04-04 09:56 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dave 2006-09-25 22:39:38 AEST

This flavour of openssh doesn't support pam_tally very well, leading to the risk that users may find themselves locked out of other application - even with valid credentials, or may be able to access the system when the account should be locked out.

Base system: Fedora Core 5, added pam_tally lines to /etc/pam.d/system-auth as follows:
auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5
account required /lib/security/$ISA/pam_tally.so

This leads to the following buggy behaviour: (using password authentication)
1) The tally only increases once with each ssh session, not with each bad password (as the default is 3 tries before failure, this means I can get in 3 bad passwords for one tally).
2) The tally doesn't update properly, using /sbin/pam_tally unless I fail authentication using another mechanism (e.g. sudo) - try this order (deliberately using bad passwords):
ssh 127.0.0.1
/sbin/pam_tally (no entries)
sudo ls
/sbin/pam_tally (entry for sudo failure plus one for ssh)
3) SSH doesn't actually lock you out when you've gone over your tally limit - even though other services do.

Comment 1 dave 2006-09-26 00:23:16 AEST

Forgot to add the fourth bug:
4) Use of a correct password doesn't reset the tally.

Comment 2 Darren Tucker 2006-09-29 20:28:32 AEST

When you say "password authentication" do you mean SSH protocol password authentication?

ie does "ssh -o preferredauthentications=password server" behave as you're describing?

Comment 3 Damien Miller 2007-06-13 10:22:03 AEST

8 months with no reply == no bug

Comment 4 dave 2007-06-14 16:14:40 AEST

Great way of fixing a bug - ask whether "password" means "password" then close after 8 months without performing the checks included in the bug.

The magic words here are "password" and "pam"; in essence meaning ssh password authentication that uses pam (so in theory anything else that ssh uses to authenticate against pam).

Though it's a pretty moot point now - I've just retried the steps and at some point in the past 9 months somebody has fixed the buggy code.

Comment 5 Damien Miller 2007-06-14 21:36:20 AEST

Nice of you to finally respond.

I asked because there are two protocol methods in SSH that allow password authentication: keyboard-interactive and password. Since you didn't see fit to attach a debug trace, I had to ask.

Comment 6 Damien Miller 2008-04-04 09:56:21 AEDT

Close resolved bugs after release.