Openssh vs. unsuccessful_login_count on AIX



Gents,

I have a AIX 6.1 TL2 server using Quest/Vintela Authentication Services(QAS) for users authentication and I'm also using a openssh version provided by Quest (http://rc.quest.com/topics/openssh/).
When a AIX user's unsuccessful_login_count is greater than 5 the user is not able to login via telnet BUT if he tries to login via SSH it works on the second try. The user's unsuccessful_login_count by the time that he tries to login for the first time, At the time that he tries the second time, no troubles are found and he succeed to log in.

When running the SSH server on debug mode the following entries can be seen:

Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 39992 ssh2
debug3: AIX/setauthdb set registry 'VAS'
debug1: loginsuccess(): The file access permissions do not allow the specified action.
debug3: aix_restoreauthdb: restoring old registry ''
monitor_child_preauth: authenticated invalid user
debug1: do_cleanup
debug1: do_cleanup

On the syslog file the following can be seen:
Oct 2 13:05:05 servername auth|security:info sshd[409648]: Login restricted for username: There have been too many unsuccessful login attempts; please see \tthe system administrator.
Oct 2 13:05:05 servername auth|security:info sshd[409648]: Failed none for invalid user username from 127.0.0.1 port 40139 ssh2
Oct 2 13:05:11 servername auth|security:info sshd[409648]: vasaix: Authentication <succeeded> for <Active Directory> user: <username> account: <username@xxxxxxxxxxx> service: <AIX LAM> reason: <N/A>
Oct 2 13:05:11 servername auth|security:info sshd[409648]: Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 40139 ssh2
Oct 2 13:05:11 servername auth|security:crit sshd[409648]: fatal: monitor_child_preauth: authenticated invalid user

The logs shows the user being validated by Vintela but AIX doesn't let him in.
After this SSH unsuccessful operation the user's unsuccessful_login_count is set to 0 by SSH.

Now I ask to the list: Is the interaction between SSH and AIX supposed to be like that, I mean, was SSH suppose to ignore the unsuccessful_login_count on AIX and just reset it? If SSH is going to reset the user's unsuccessful_login_count why the user is not able to login in the first try?

Any reply will be greatly appreciated.

Best regards,

Jackson




____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com



Relevant Pages

  • Re: "FOTS1346 Permission denied, please try again"
    ... debug1: Connection established. ... debug3: key_read: missing whitespace ... debug1: no match: 6.0.3.9 SSH Tectia Server ...
    (bit.listserv.ibm-main)
  • Re: Exporting Fsecure private key to OpenSSH
    ... shows that ssh can now indeed read the private key. ... debug1: read PEM private key done: type RSA ... debug2: we sent a publickey packet, ... debug3: key_read: no key found ...
    (comp.security.ssh)
  • help about "certificates" function of openssh 5.4
    ... Is there any detail manual about how to setup ssh user certificates? ... debug3: preferred publickey,keyboard-interactive,password ... debug1: Next authentication method: publickey ... userauth-request for user root service ssh-connection method publickey ...
    (SSH)
  • Re: how to examine ssh problem
    ... 1] I tried ssh from desktop, laptop and other server, the same problem. ... debug2: bits set: 529/1024 ... debug1: expecting SSH2_MSG_NEWKEYS ... debug3: start over, passed a different list publickey,gssapi-with-mic,password ...
    (Debian-User)
  • Permission denied?
    ... I'm trying to ssh into a linux box, but I get a permission denied. ... 6373: debug1: Rhosts Authentication disabled, ... 6373: debug3: key_read: no key found ... 6373: debug2: kex_parse_kexinit: ...
    (comp.security.ssh)