[Bug 464315] New: MaxAuthTries 0 (Zero) denies all logins - used to work on 11.0 and previous versions
https://bugzilla.novell.com/show_bug.cgi?id=464315 Summary: MaxAuthTries 0 (Zero) denies all logins - used to work on 11.0 and previous versions Product: openSUSE 11.1 Version: Final Platform: i386 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: abittner@stud.fh-heilbronn.de QAContact: qa@suse.de Found By: --- hi there, just figured that the parameter
MaxAuthTries 0
in /etc/ssh/sshd_config denies all ssh logins with username/password as credentials. this used to work just fine on my 11.0 system which i upgraded to this 11.1 x86 version. I set MaxAuthTries 0 many releases ago, when this feature was implemented in openssh, and i read in many articles and documentations to set it to zero so that only exactly one login should be allowed for ssh access. wondering why i need
MaxAuthTries 1 now to get the same effect.
bug? or is it me who is understanding this all wrong? thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=464315 Cyril Hrubis <chrubis@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |anicka@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=464315 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=464315 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=464315 User anicka@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=464315#c1 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID --- Comment #1 from Anna Bernathova <anicka@novell.com> 2009-02-02 08:47:15 MST --- It is a change made by upstream. Changelog: Make protocol 2 MaxAuthTries behaviour a little more sensible: Check whether client has exceeded MaxAuthTries before running an authentication method and skip it if they have, previously it would always allow one try (for "none" auth). Preincrement failure count before post-auth test - previously this checked and postincremented, also to allow one "none" try. Together, these two changes always count the "none" auth method which could be skipped by a malicious client (e.g. an SSH worm) to get an extra attempt at a real auth method. They also make MaxAuthTries=0 a useful way to block users entirely (esp. in a sshd_config Match block). Also, move sending of any preauth banner from "none" auth method to the first call to input_userauth_request(), so worms that skip the "none" method get to see it too. Documentation (sshd_config(5)) seems to match this behaviour: MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. So I think that there is nothing to fix here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=464315 User abittner@stud.fh-heilbronn.de added comment https://bugzilla.novell.com/show_bug.cgi?id=464315#c2 --- Comment #2 from andreas bittner <abittner@stud.fh-heilbronn.de> 2009-02-02 09:40:59 MST --- ok thanks for the hint and the references. regards. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com