Any plans implement MaxAuthTriesLog?

Discussion:

Richard Dickens

2004-11-11 16:04:23 UTC

Hello there,

I've just upgraded to 3.9p1 and I notice that I'm not getting any "Too
many authorization failure" messages written to my syslog.

This seems to be controlled by MaxAuthTriesLog in Sun's implementation
of SSH. Are there any plans to do the same in OpenSSH?

Regards,
Richard Dickens

-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.

Ben Lindstrom

2004-11-11 16:49:58 UTC

Permalink

MaxAuthTries
Specifies the maximum number of authentication attempts permitted
per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.

- Ben

Post by Richard Dickens
Hello there,
I've just upgraded to 3.9p1 and I notice that I'm not getting any "Too
many authorization failure" messages written to my syslog.
This seems to be controlled by MaxAuthTriesLog in Sun's implementation
of SSH. Are there any plans to do the same in OpenSSH?
Regards,
Richard Dickens
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
_______________________________________________
openssh-unix-dev mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

Richard Dickens

2004-11-15 17:25:08 UTC

Permalink

I'll rephrase my question...

When a user gets their password wrong more than MaxAuthTries times why
isn't the message "Too many authentication failures for %.100s" written
to syslog? The user seems to get it (in a dialog in putty) but it
doesn't get logged. The usual "Failed password for..." messages are
logged.

Regards,
Richard Dickens

-----Original Message-----
From: openssh-unix-dev-bounces+richard.dickens=***@mindrot.org
[mailto:openssh-unix-dev-bounces+richard.dickens=***@mindrot.org
] On Behalf Of Richard Dickens
Sent: 11 November 2004 16:04
To: openssh-unix-***@mindrot.org
Subject: [Spam] Any plans implement MaxAuthTriesLog?

Hello there,

I've just upgraded to 3.9p1 and I notice that I'm not getting any "Too
many authorization failure" messages written to my syslog.

This seems to be controlled by MaxAuthTriesLog in Sun's implementation
of SSH. Are there any plans to do the same in OpenSSH?

Regards,
Richard Dickens

-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the
views of Reuters Ltd.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-***@mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

--------------------------------------------------------------- -
Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.

Darren Tucker

2004-11-16 02:59:58 UTC

Permalink

Post by Richard Dickens
When a user gets their password wrong more than MaxAuthTries times why
isn't the message "Too many authentication failures for %.100s" written
to syslog? The user seems to get it (in a dialog in putty) but it
doesn't get logged. The usual "Failed password for..." messages are
logged.

AFAIK vanilla OpenSSH has never logged those (it only sends it to the
user via packet_disconnect). Maybe it should log too? And if so, maybe
it should log some more info? Anyway, try this patch.

OpenSSH does the equivalent of MaxAuthTriesLog at MaxAuthTries/2. I
suspect the behaviour you're describing is not directly related to
MaxAuthTriesLog.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Darren Tucker

2004-11-16 10:54:43 UTC

Permalink

Post by Darren Tucker

AFAIK vanilla OpenSSH has never logged those (it only sends it to the
user via packet_disconnect). Maybe it should log too? And if so, maybe
it should log some more info? Anyway, try this patch.

Richard pointed out that packet_disconnect already calls logit(). D'oh.

The reason it's not logged is privsep: the packet_disconnect and logit
call happen in the unprivileged child (which is chrooted and doesn't
have access to /dev/log). Trying it with UsePrivilegeSeparation=no has
the messages logged OK. Not sure how to fix it for privsep=yes, other
than adding a /dev/log to the chroot.