AIX allows per-user definitions for the maximum number of allowed login attempts (defaulting to 3). After that limit has been exceeded, the user is locked out, and must be unlocked by an administrator. Through OpenSSH, it is possible to get around this restriction, and make additional login attempts. To reproduce (assuming the system locks an account after 3 total failed attempts, and assuming you have 3 attempts per ssh connection): - start an ssh connection, fail your login twice, and exit out - start a new session, fail twice, then enter the correct password, and you will be accepted into the system (note that there were 4 failed attempts before the successful login) I believe the problem lies in how OpenSSH determines login permissions. There is an initial check made to ensure that the user can log in, but after that no additional checks are made. And once a successful login is made, the counter is reset, incorrectly allowing future logins. To fix this, the loginrestrictions() function (AIX-specific) needs to be checked before each login attempt (_before_ a login is accepted).
Created attachment 696 [details] proposed patch With excellent comments and suggestions from Darren Tucker on my initial version, this is a much improved patch (thankfully, the original need not see the light of day). It's against the 20040730 snapshot, and I've tested it on AIX 5.1.
I just tried that on 5.2 but it still allows the login after locking out the account via telnet. I suspect there's some kind of caching going on, but neither setpwent/endpwent or setuserdb/enduserdb make a difference.
Many years ago, I had a patch which used loginrestrictions and the AIX authenticate function which was incorporated into the source. Since then it seems to be only available with compile flag -DCUSTOM_FAILED_LOGIN. It does honor login restrictions. Basically acts as telnet (ie resetting the failed login if under the limit of failed logins).