Re: sshd "none" method authentication


I tried "PermitEmptyPasswords no" and the failure count did not increase. Unfortunately, our server has to use "PermitEmptyPasswords yes" for some user access. Hence we need to find another solution to inform the OS of the success of the pubkey authentication so that the failure count will be reset for a successful pubkey authentication. It would be great if this solution can be implemented in OpenSSH.


--- On Thu, 6/26/08, Darren Tucker <dtucker@xxxxxxxxxx> wrote:

From: Darren Tucker <dtucker@xxxxxxxxxx>
Subject: Re: sshd "none" method authentication
To: "wc wong" <jwc_wong@xxxxxxxxx>
Cc: secureshell@xxxxxxxxxxxxxxxxx
Date: Thursday, June 26, 2008, 3:19 PM
On Thu, Jun 26, 2008 at 01:11:46PM -0700, wc wong wrote:
Thanks Darren.

Yes, we are using PAM.

I'll try "PermitEmptyPasswords no" to
see if it can resolve the
failure count issue.

One more problem, I found is that when I use
authentication by
password, though the failure count incremented by one
with the
none-method, the count is reset with the success of
the password
authentication. This is not the case when I use
publickey authentication,
the count is not reset with the success of the
publickey authentication.

The problem here is that pubkey authentication doesn't
occur through
PAM, and I don't know a good general solution to this.
no way for an application to say to PAM "this login is
good, even
though PAM didn't say so").

If the module in question also implements the session part
of the
stack, you could try that (add "session required")
and it may work, but it will depend on the PAM module.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7
8FF4 FA69
Good judgement comes with experience. Unfortunately,
the experience
usually comes from bad judgement.

Relevant Pages

  • Re: OpenSSH and pam_krb5
    ... > with GSSAPI and PAM authentication. ... this data is present in a separate process (the "authentication ... application (ie sshd). ...
  • Re: PHKs MD5 might not be slow enough anymore
    ... It does not disable password authentication. ... It disables the SSH ... most people *do* need PAM. ... And, just to be safe, also turn off the challenge-response ...
  • Re: Solaris 9 authentication and access control into Active Directory
    ... implement a user within your Active Directory for the machine, ... As others have mentioned there's PAM samba SMB integration. ... Recently I've been using LDAP authentication. ...
  • Re: Understanding LDAP or MS Active Directory authenticationand Informix
    ... Hopefully we can upgrade to IDS 10 once Orrible certs PeopleSoft Tools ... Understanding LDAP or MS Active ... I know the LDAP support is through PAM. ... when you make the authentication call to the OS, ...
  • Re: alternatives to NIS and NFS
    ... >> I have been having some hassles with NIS and would like to upgrade to ... > For authentication, ... > OSX should be able to authenticate against LDAP. ... Authentication in Linux is done via the PAM library, ...