Bug 145 - sshd fails to increment AIX login failed counter
Summary: sshd fails to increment AIX login failed counter
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: Other AIX
: P1 security
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
: 349 (view as bug list)
Depends on:
Blocks:
 
Reported: 2002-03-08 06:59 AEDT by Mandar Mirashi
Modified: 2004-04-14 12:24 AEST (History)
1 user (show)

See Also:

Attachments
Merge all previous patches and diff against -cvs (1.76 KB, patch)
2002-06-21 23:43 AEST, Darren Tucker 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mandar Mirashi 2002-03-08 06:59:43 AEDT 
Failed password attempts fail to increment the default AIX loginretries 
counter. This can be used as a password crack exploit on AIX boxes.

Fixes to auth1.c, auth2.c, auth.c -

# diff -rc auth.c.old auth.c    
*** auth.c.old  Mon Mar  4 20:42:43 2002
--- auth.c      Thu Mar  7 14:46:40 2002
***************
*** 231,236 ****
--- 231,242 ----
            get_remote_ipaddr(),
            get_remote_port(),
            info);
+ 
+ #ifdef WITH_AIXAUTHENTICATE
+       if (authenticated == 0 && strcmp(method, "password") == 0)
+             loginfailed(authctxt->user, get_canonical_hostname
(options.reverse_mapping_check), "ssh");
+ #endif /* WITH_AIXAUTHENTICATE */
+ 
  }
  
  /*


# diff -rc auth1.c.old auth1.c
*** auth1.c.old Thu Feb 14 04:39:50 2002
--- auth1.c     Thu Mar  7 14:42:34 2002
***************
*** 337,347 ****
                        return;
  
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
- #ifdef WITH_AIXAUTHENTICATE
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname
(options.verify_reverse_mapping),
-                           "ssh");
- #endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
  
--- 337,342 ----


# diff -rc auth2.c.old auth2.c
*** auth2.c.old Tue Feb 26 13:09:43 2002
--- auth2.c     Thu Mar  7 14:42:42 2002
***************
*** 262,272 ****
                authctxt->success = 1;
        } else {
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
- #ifdef WITH_AIXAUTHENTICATE
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname
(options.verify_reverse_mapping),
-                           "ssh");
- #endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
                methods = authmethods_get();
--- 262,267 ----
Comment 1 Mandar Mirashi 2002-03-08 09:30:59 AEDT 
Realized the option structure member name has changed with 3.1p1...new diff for 
auth.c attached:

# diff -rc auth.c auth.c.old
*** auth.c      Thu Mar  7 16:55:14 2002
--- auth.c.old  Mon Mar  4 20:42:43 2002
***************
*** 231,242 ****
            get_remote_ipaddr(),
            get_remote_port(),
            info);
- 
- #ifdef WITH_AIXAUTHENTICATE
-       if (authenticated == 0 && strcmp(method, "password") == 0)
-             loginfailed(authctxt->user, get_canonical_hostname
(options.verify_reverse_mapping), "ssh");
- #endif /* WITH_AIXAUTHENTICATE */
- 
  }
  
  /*
--- 231,236 ----
Comment 2 Ben Lindstrom 2002-04-06 08:32:45 AEST 
And what should be the right patch?  Please use attachments.

- Ben
Comment 3 Darren Tucker 2002-06-21 23:43:55 AEST 
Created attachment 116 [details]
Merge all previous patches and diff against -cvs
Comment 4 Darren Tucker 2002-06-21 23:56:01 AEST 
I think I get it now: loginfailed() isn't called until the number of failures 
for a given child process is greater than AUTH_FAIL_MAX (currently defined as 
6). Since ssh gives up after 3 password attempts (plus a couple of public-key?), 
loginfailed is never called and the counter is never incremented. Reconnecting 
to sshd gives a new child and the count starts again. Repeat.

I've tested the above patch and confirmed working lockout with it (and lack 
thereof without) on AIX 4.3.3 ML0.

The code deleted from auth[12].c was marked with /* XXX: privsep */ but I'm not 
sure what this indicates. Clues?
Comment 5 Ben Lindstrom 2002-07-05 04:11:53 AEST 
Applied.  Reopen w/ new patch if more problems are found.
Comment 6 Ben Lindstrom 2002-07-05 04:12:16 AEST 
Applied.  Reopen w/ new patch if more problems are found.
Comment 7 Berry Perzon 2002-07-10 19:27:50 AEST 
*** Bug 349 has been marked as a duplicate of this bug. ***
Comment 8 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED