Re: sshd authentication failure message
From: Sean Estabrooks (seanlkml_at_rogers.com)
Date: 09/05/03
- Previous message: Bret Hughes: "Re: Service command"
- In reply to: Bret Hughes: "Re: sshd authentication failure message"
- Next in thread: Bret Hughes: "Re: sshd authentication failure message"
- Reply: Bret Hughes: "Re: sshd authentication failure message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: redhat-list@redhat.com Date: Fri, 5 Sep 2003 17:51:34 -0400
On 05 Sep 2003 16:30:03 -0500
Bret Hughes <bhughes@elevating.com> wrote:
> On Fri, 2003-09-05 at 13:10, Peter Fleck wrote:
> > Hi,
> >
> > Following are two entries from our /var/log/messages file and I'm
> > wondering about the 'authentication failure' part. This seems to
> > happen with every login, at least remote, although the user logs in
> > normally with no problem. Can we change some setting to make this go
> > away?
> >
> > Thanks.
>
> As far as I know the only way is to either downgrade the sshd rpm from
> the latest released by redhat or install the one from openssh.org.
>
> There are a couple of bugs at bugzilla.redhat.com regarding this but the
> guy responsible does not seem to care about false failure messages. I
> found that unacceptable and installed the openssh rpms on some of my
> machines and left the old rom in place on others. I forget the RH
> versions that made it hard to do the openssh stuff.
>
> Since I only pay for one copy of rh each release and then run it
> (significantly customized) on about 45 machines I did not feel like I
> had the right to try and escalate the issue past the guy that maintains
> the rpm. Sort of pissed a few folks off though.
>
> I think it is a function of how many people actually look at the logs
> and complain, not many I guess.
>
> If there is a fix as well as stopping the login delay on a successful
> logins (where is the information leakage there?) I would like to know
> about it since I really like to keep the installation on my 4 servers as
> stock as possible.
>
Hey Bret,
You can add the "nodelay" option in /etc/pam.d/system-auth:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nodelay
I do have a one line source change that removes the need for
the above, has zero information leak, and still presents a delay if
someone types a password incorrectly. The patch makes the
sshd_config option "PermitEmptyPasswords" more meaningful when
set to "no". (ie. sshd no longer asks pam if the user can log in without
a password). Nobody seems interested in the patch upstream though.
If you'd like an updated RPM let me know.
Cheers,
Sean
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Bret Hughes: "Re: Service command"
- In reply to: Bret Hughes: "Re: sshd authentication failure message"
- Next in thread: Bret Hughes: "Re: sshd authentication failure message"
- Reply: Bret Hughes: "Re: sshd authentication failure message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
