So we want to have the following scenerio: User logs in using pam only. Use pam_tally2.so to count login attempts Lock account after 3 failed login attempts
Our current settings only do the following:
You fail the login intentionally 3 times.
EXAMPLE CLI OUTPUT:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ debug: server offers auth methods 'gssapi-with-mic,password,publickey,keyboard-interactive'. debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:342/ssh_client_auth_kbd_interact: Starting kbd-int auth... Keyboard-interactive: Account locked due to 12 failed logins debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: PAM Authentication Password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: Password Authentication: testuser's password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. debug: Ssh2Common/sshcommon.c:300/ssh_common_special: Received SSH_CROSS_AUTHENTICATED packet from connection protocol. debug: SshReadLine/sshreadline.c:2485/ssh_readline_eloop_uninitialize: Uninitializing ReadLine... Authentication successful. debug: Ssh2Common/sshcommon.c:855/ssh_common_new_channel: num_channels now 1 debug: Ssh2ChannelSession/sshchsession.c:2726/ssh_channel_start_session_completion: Requesting pty debug: Ssh2ChannelSession/sshchsession.c:2898/ssh_channel_start_session_completion: Requesting shell ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Example of our file /etc/pam.d/ssh-server-g3 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
auth required pam_tally2.so deny=3 onerr=fail auth include common-auth account required pam_nologin.so account required pam_tally2.so account include common-account password include common-password session include common-session
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <settings windows-logon-type="interactive" pam-account-checking-only="yes"/> <pluggable-authentication-modules service-name="ssh-server-g3" pam-calls-with-commands="no"/> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What are we doing wrong?
What version of Tectia do you have?
In the syslog, before those messages, do you see other authentication methods failing for this user? For instance, the user could have a number of public keys that are tried before going to pam authentication. Also, the server is offering GSSAPI (Kerberos) authentication - if you are not using GSSAPI/Kerberos, you could disable this method in the server configuration to avoid failed authentication attempts.
The client user could try to log in using just keyboard-interactive method. Details depend on client version, but with Tectia 6.x you could try the command line option "sshg3 -oAllowedauthentications=keyboard-interactive user@server"
answered Jul 22 '11 at 17:54