I'm using openssh and I'd like to have a delay between attempts if an
invalid password is opened. In other words, maybe 3 seconds between
each password attempt. I can't find if there is an easy way to do
this. |
Request for Question Clarification by
denco-ga
on
18 Aug 2005 12:34 PDT
Howdy tedder-ga,
Could you please try the following and see if it works for you?
In auth-pam.c: sshpam_thread insert
pam_fail_delay(sshpam_handle, 3000000 /* micro-seconds */ );
before
sshpam_err = pam_authenticate(sshpam_handle, flags);
Please report back here how this works out for you, and if it works
for you, I can then post it as an answer to your question. Thanks!
Looking Forward, denco-ga - Google Answers Researcher
|
Request for Question Clarification by
denco-ga
on
18 Aug 2005 13:04 PDT
Also, are you familiar with the "PAM_FAIL_DELAY" function?
The public interface to Linux-PAM
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html
Test harness for Pluggable Authentication Modules (PAM)
http://www.zipworld.com.au/~dtucker/patches/
Looking Forward, denco-ga - Google Answers Researcher
|
Clarification of Question by
tedder-ga
on
18 Aug 2005 13:46 PDT
(clarifying for denco-ga)
So you are saying I should place the pam_fail_delay here:
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
pam_fail_delay(sshpam_handle, 3000000 /* micro-seconds */ );
sshpam_err = pam_authenticate(sshpam_handle, flags);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
Looking that up helped me find the answer- and the compiled default is
3 seconds- go figure.
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511
This seems to be enabled.. the issue now is being able to set the
delay. It seems like it should be possible without patching and
compiling openssh- i.e., just configuring it in PAM.
For instance, can it be done with pam_tally?
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.24
|
Request for Question Clarification by
denco-ga
on
18 Aug 2005 15:43 PDT
Howdy tedder-ga,
It doesn't appear that pam_tally will do what you need. Rather, it handles
the "three strikes you are out" of the failed logon process, and how much
time must pass before a logon attempt can be made after logon is disallowed.
Good find on the Enterprise Networking Planet article.
The second link that I gave you appears to have the most promise.
Test harness for Pluggable Authentication Modules (PAM)
http://www.zipworld.com.au/~dtucker/patches/
"pam-test-harness.c: a heavily-instrumented PAM test application, intended
to help debug PAM/sshd problems and study the behaviour of PAM on various
platforms. It also seems to be useful for testing and debugging while
developing PAM modules.
You can control most aspects of the authentication, including not setting
the various options (the PAM service name, PAM_TTY, PAM_RHOST, PAM_USER) and
skipping the pam_authenticate call (this is common in sshd for non- password
authentications, but can confuse some modules).
...
pam_faildelay module for LinuxPAM
pam_faildelay.c: Allow an admin to change the setting of LinuxPAM's
pam_fail_delay from the PAM configuration file, possibly on a per-application
basis."
But, if the article you found is accurate, I don't know if the "Test Harness"
approach, or for that matter, anything short of a patch/compile, is going to
do what you seek.
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511
"Ignore the FAIL_DELAY directive in /etc/login.defs because it has no effect.
pam_unix.so is hard-coded to a 3-second delay."
From my reading, there are others that are either stymied or frustrated with
what appears to be the lack of either a properly implemented or a platform
wide implementation of pam_fail_delay.
You placed pam_fail_delay in the correct place. You might try increasing
the delay to 10000000 and see what that does, but I don't think it will make
a difference.
Looking Forward, denco-ga - Google Answers Researcher
|
Clarification of Question by
tedder-ga
on
22 Aug 2005 14:19 PDT
denco, your solution seems to be the most optimal. Thanks for your
assistance on this.
|
Request for Question Clarification by
denco-ga
on
22 Aug 2005 14:48 PDT
Howdy tedder-ga,
Did you want me to post my comments as an answer? Thanks!
Looking Forward, denco-ga - Google Answers Researcher
|
Clarification of Question by
tedder-ga
on
22 Aug 2005 15:46 PDT
yep, post as an answer.
Thanks.
|