login about faq

So we want to have the following scenerio: User logs in using pam only. Use pam_tally2.so to count login attempts Lock account after 3 failed login attempts

Our current settings only do the following: You fail the login intentionally 3 times.
It prompts saying you've been locked out due to 3 failures. You put in the proper password and it says you've been denied using PAM authentication You put in the proper password again and it allows you in.

EXAMPLE CLI OUTPUT:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ debug: server offers auth methods 'gssapi-with-mic,password,publickey,keyboard-interactive'. debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:342/ssh_client_auth_kbd_interact: Starting kbd-int auth... Keyboard-interactive: Account locked due to 12 failed logins debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: PAM Authentication Password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. Keyboard-interactive: Password Authentication: testuser's password: debug: Ssh2AuthKbdInteractiveClient/authc-kbd-interactive.c:244/ssh_kbd_send_response_packet: Sending response packet. debug: Ssh2Common/sshcommon.c:300/ssh_common_special: Received SSH_CROSS_AUTHENTICATED packet from connection protocol. debug: SshReadLine/sshreadline.c:2485/ssh_readline_eloop_uninitialize: Uninitializing ReadLine... Authentication successful. debug: Ssh2Common/sshcommon.c:855/ssh_common_new_channel: num_channels now 1 debug: Ssh2ChannelSession/sshchsession.c:2726/ssh_channel_start_session_completion: Requesting pty debug: Ssh2ChannelSession/sshchsession.c:2898/ssh_channel_start_session_completion: Requesting shell ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Example of our file /etc/pam.d/ssh-server-g3 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

auth required pam_tally2.so deny=3 onerr=fail auth include common-auth account required pam_nologin.so account required pam_tally2.so account include common-account password include common-password session include common-session

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/etc/ssh-server-config.xml peaces

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <settings windows-logon-type="interactive" pam-account-checking-only="yes"/> <pluggable-authentication-modules service-name="ssh-server-g3" pam-calls-with-commands="no"/> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What are we doing wrong?

asked Jul 21 '11 at 00:23

Caleb's gravatar image

Caleb
1111

edited Sep 21 '11 at 16:50

SSH%20KB's gravatar image

SSH KB ♦
509249246237


What version of Tectia do you have?

In the syslog, before those messages, do you see other authentication methods failing for this user? For instance, the user could have a number of public keys that are tried before going to pam authentication. Also, the server is offering GSSAPI (Kerberos) authentication - if you are not using GSSAPI/Kerberos, you could disable this method in the server configuration to avoid failed authentication attempts.

The client user could try to log in using just keyboard-interactive method. Details depend on client version, but with Tectia 6.x you could try the command line option "sshg3 -oAllowedauthentications=keyboard-interactive user@server"

link

answered Jul 22 '11 at 17:54

Jan's gravatar image

Jan ♦
612

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8
×3
×1
×1
×1

Asked: Jul 21 '11 at 00:23

Seen: 4,635 times

Last updated: Sep 21 '11 at 16:50

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.