2633 – Provide hook invoked for login failures

Bug 2633 - Provide hook invoked for login failures

Summary: Provide hook invoked for login failures

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.3p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-27 05:03 AEDT by Josh Triplett
Modified:	2021-04-23 15:08 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josh Triplett 2016-10-27 05:03:41 AEDT

Many different scripts exist to parse the log output of sshd and attempt to block sources of excessive failed login attempts.  Most such scripts involve fragile, easily-misled text parsing.

Please consider adding a standard hook, configurable in sshd_config, invoked by sshd when a login fails.  That hook should receive the source IP address for the connection, and the login type(s) attempted and failed (not those not attempted), so that it can decide (for instance) to have different thresholds for password attempts/failures and key-based failures.

Comment 1 Damien Miller 2019-07-19 15:17:46 AEST

I suggest that you investigate the Linux audit API. OpenSSH has supported this for a while and it does notify failed authentication attempts via linux_audit_record_event()

Comment 2 Damien Miller 2021-04-23 15:08:42 AEST

closing resolved bugs as of 8.6p1 release