Re: sshd "none" method authentication


I tried "PermitEmptyPasswords no" and the failure count did not increase. Unfortunately, our server has to use "PermitEmptyPasswords yes" for some user access. Hence we need to find another solution to inform the OS of the success of the pubkey authentication so that the failure count will be reset for a successful pubkey authentication. It would be great if this solution can be implemented in OpenSSH.


--- On Thu, 6/26/08, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

From: Darren Tucker <dtucker@xxxxxxxxxx>
Subject: Re: sshd "none" method authentication
To: "wc wong" <jwc_wong@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Thursday, June 26, 2008, 3:19 PM
On Thu, Jun 26, 2008 at 01:11:46PM -0700, wc wong wrote:
Thanks Darren.

Yes, we are using PAM.

I'll try "PermitEmptyPasswords no" to
see if it can resolve the
failure count issue.

One more problem, I found is that when I use
authentication by
password, though the failure count incremented by one
with the
none-method, the count is reset with the success of
the password
authentication. This is not the case when I use
publickey authentication,
the count is not reset with the success of the
publickey authentication.

The problem here is that pubkey authentication doesn't
occur through
PAM, and I don't know a good general solution to this.
no way for an application to say to PAM "this login is
good, even
though PAM didn't say so").

If the module in question also implements the session part
of the
stack, you could try that (add "session required")
and it may work, but it will depend on the PAM module.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7
8FF4 FA69
Good judgement comes with experience. Unfortunately,
the experience
usually comes from bad judgement.