Openssh vs. unsuccessful_login_count on AIX
- From: Jackson <jakrainer@xxxxxxxxx>
- Date: Fri, 2 Oct 2009 06:28:52 -0700 (PDT)
I have a AIX 6.1 TL2 server using Quest/Vintela Authentication Services(QAS) for users authentication and I'm also using a openssh version provided by Quest (http://rc.quest.com/topics/openssh/).
When a AIX user's unsuccessful_login_count is greater than 5 the user is not able to login via telnet BUT if he tries to login via SSH it works on the second try. The user's unsuccessful_login_count by the time that he tries to login for the first time, At the time that he tries the second time, no troubles are found and he succeed to log in.
When running the SSH server on debug mode the following entries can be seen:
Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 39992 ssh2
debug3: AIX/setauthdb set registry 'VAS'
debug1: loginsuccess(): The file access permissions do not allow the specified action.
debug3: aix_restoreauthdb: restoring old registry ''
monitor_child_preauth: authenticated invalid user
On the syslog file the following can be seen:
Oct 2 13:05:05 servername auth|security:info sshd: Login restricted for username: There have been too many unsuccessful login attempts; please see \tthe system administrator.
Oct 2 13:05:05 servername auth|security:info sshd: Failed none for invalid user username from 127.0.0.1 port 40139 ssh2
Oct 2 13:05:11 servername auth|security:info sshd: vasaix: Authentication <succeeded> for <Active Directory> user: <username> account: <username@xxxxxxxxxxx> service: <AIX LAM> reason: <N/A>
Oct 2 13:05:11 servername auth|security:info sshd: Accepted keyboard-interactive/lam for invalid user username from 127.0.0.1 port 40139 ssh2
Oct 2 13:05:11 servername auth|security:crit sshd: fatal: monitor_child_preauth: authenticated invalid user
The logs shows the user being validated by Vintela but AIX doesn't let him in.
After this SSH unsuccessful operation the user's unsuccessful_login_count is set to 0 by SSH.
Now I ask to the list: Is the interaction between SSH and AIX supposed to be like that, I mean, was SSH suppose to ignore the unsuccessful_login_count on AIX and just reset it? If SSH is going to reset the user's unsuccessful_login_count why the user is not able to login in the first try?
Any reply will be greatly appreciated.
Veja quais são os assuntos do momento no Yahoo! +Buscados