login about faq

So we want to have the following scenerio: User logs in using pam only. Use pam_tally2.so to count login attempts Lock account after 3 failed login attempts

Our current settings only do the following: You fail the login intentionally 3 times.
It prompts saying you've been locked out due to 3 failures. You put in the proper password and it says you've been denied using PAM authentication You put in the proper password again and it allows you in.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ debug: server offers auth methods 'gssapi-with-mic,password,publickey,keyboard-interactive'. debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:342/ssh_client_auth_kbd_interact: Starting kbd-int auth... Keyboard-interactive: Account locked due to 12 failed logins debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: PAM Authentication Password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: Password Authentication: testuser's password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. debug: Ssh2Common/sshcommon.c:300/ssh_common_special: Received SSH_CROSS_AUTHENTICATED packet from connection protocol. debug: SshReadLine/sshreadline.c:2485/ssh_readline_eloop_uninitialize: Uninitializing ReadLine... Authentication successful. debug: Ssh2Common/sshcommon.c:855/ssh_common_new_channel: num_channels now 1 debug: Ssh2ChannelSession/sshchsession.c:2726/ssh_channel_start_session_completion: Requesting pty debug: Ssh2ChannelSession/sshchsession.c:2898/ssh_channel_start_session_completion: Requesting shell ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Example of our file /etc/pam.d/ssh-server-g3 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

auth required pam_tally2.so deny=3 onerr=fail auth include common-auth account required pam_nologin.so account required pam_tally2.so account include common-account password include common-password session include common-session


/etc/ssh-server-config.xml peaces

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <settings windows-logon-type="interactive" pam-account-checking-only="yes"/> <pluggable-authentication-modules service-name="ssh-server-g3" pam-calls-with-commands="no"/> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What are we doing wrong?

asked Jul 21 '11 at 00:23

Caleb's gravatar image


edited Sep 21 '11 at 16:50

SSH%20KB's gravatar image


What version of Tectia do you have?

In the syslog, before those messages, do you see other authentication methods failing for this user? For instance, the user could have a number of public keys that are tried before going to pam authentication. Also, the server is offering GSSAPI (Kerberos) authentication - if you are not using GSSAPI/Kerberos, you could disable this method in the server configuration to avoid failed authentication attempts.

The client user could try to log in using just keyboard-interactive method. Details depend on client version, but with Tectia 6.x you could try the command line option "sshg3 -oAllowedauthentications=keyboard-interactive user@server"


answered Jul 22 '11 at 17:54

Jan's gravatar image

Jan ♦

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jul 21 '11 at 00:23

Seen: 7,072 times

Last updated: Sep 21 '11 at 16:50

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.