Re: openssh-unix-dev Digest, Vol 39, Issue 6
This is a discussion on Re: openssh-unix-dev Digest, Vol 39, Issue 6 within the OpenSSH Development forums, part of the Networking and Network Related category; On Jul 11, 2006, at 8:21 PM, openssh-unix-dev-request@mindrot.org wrote: > Date: Tue, 11 Jul ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-12-2006
|
|||
|
|||
Re: openssh-unix-dev Digest, Vol 39, Issue 6
On Jul 11, 2006, at 8:21 PM, openssh-unix-dev-request@mindrot.org wrote: > Date: Tue, 11 Jul 2006 15:50:22 -0500 > From: "Hughes Andy" <Andy.Hughes@HCAHealthcare.com> > Subject: How to use SSH with Failed Login attempts and locking > accounts > To: <openssh-unix-dev@mindrot.org> > Message-ID: > <273CACD967F9BC47B023F758ACBC3A8C075855F4@NASEV06. hca.corpad.net> > Content-Type: text/plain; charset="us-ascii" > > I have searched the FAQ's and have not seen an answer to this > question. > I have also read the manuals for the SSH and have not found an > answer to > this issue. I feel the rage of Theo stirring inside me... must ..... resist ...... the ...... impulse ..... aahh. Better now. http://groups.google.com/group/maili...nssh-dev/about > My question is this: > > I am using openssh (OpenSSH_4.2p1, OpenSSL 0.9.8 05 Jul 2005) on > MP-RAS MP-RAS? Y2K? Won't they support Solaris x86? I'll bet you can buffer overflow the crap out of MP-RAS! It makes me want to get back to work on my fuzzer! > Version 3.3.1.8 and 3.2 and I desire to allow a user to fail login for > any reason only 3 (three) times and then lock the account. I can use > the option of FAILLIMIT=3 in the /etc/default/login file for telnet > sessions, and this will lock the account after three failed login > attempts by the user. But this does not work for SSH. I have also > placed the same option in the file of /etc/default/login.openssh > with no > such luck. By default, ssh does not call login(3). Find that in the docs under UseLogin. Please Google that also. FYI: Automatic lockout allows anyone to lock out any account by guessing or knowing the name. This actually makes another easier way for malicious gremlins to abuse your systems. My favorite prank is to scratch out a fake warning to someone that they've been fired and then lock out their account... no, I would NEVER do that... > this. It is an audit requirement here, to start locking an account > when > the user fails the login process, for any reason, after three > attempts. I always thought an audit was a fact-finding pursuit. If I were you, I would pursue a CBA for automatic lockouts. If you don't really need them to conduct your business then you should keep all accounts locked and only enable them during controlled change windows. If you do really need these accounts to support your business, then your security policy should not lock your accounts. The programmers on this list are famously paranoid and prudent about security. You might ask yourself why this feature hasn't already been implemented and widely used if it were a good idea? > Any help is appreciated. Thanks in advance for the help. Also, you probably don't want to use login(3). I strongly encourage you to seek an implementation of pam_tally if I cannot discourage this automatic lockout craziness. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://lists.mindrot.org/mailman/lis...enssh-unix-dev 
|
Linear Mode
