Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Bugs

[Bug 1207] unsuccessful_login_count gets incremented by scp

 

 

OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla-daemon at mindrot

Jul 5, 2006, 7:52 AM

Post #1 of 6 (1033 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp

http://bugzilla.mindrot.org/show_bug.cgi?id=1207

Summary: unsuccessful_login_count gets incremented by scp
Product: Portable OpenSSH
Version: 4.3p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: major
Priority: P1
Component: scp
AssignedTo: bitbucket [at] mindrot
ReportedBy: johntmills [at] yahoo


On AIX 5.2 unsuccessful_login_count is incremented by scp because
loginsuccess is not run. ssh will run the loginsuccess but scp does
not. Since lastlog is not reset users can lock themselves out of
the system via our max failure checks.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at mindrot

Jul 5, 2006, 8:02 AM

Post #2 of 6 (981 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp [In reply to]

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #1 from johntmills [at] yahoo 2006-07-06 01:02 -------
Created an attachment (id=1153)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1153&action=view)
Config.log from openssh 4.3p1, openssl 0.9.8




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at mindrot

Jul 5, 2006, 8:14 AM

Post #3 of 6 (1040 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp [In reply to]

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #2 from johntmills [at] yahoo 2006-07-06 01:14 -------
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=0 roles=
root> touch /tmp/jtm
root> chown jtm /tmp/jtm
root> scp /tmp/jtm jtm [at] posido:/home/jtm/
jtm [at] posido's password:
jtm
100% 16KB 0.0KB/s 00:00
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=1 roles=




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at mindrot

Jul 5, 2006, 5:38 PM

Post #4 of 6 (991 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp [In reply to]

http://bugzilla.mindrot.org/show_bug.cgi?id=1207


dtucker [at] zip changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |1155
nThis| |
Status|NEW |ASSIGNED
Component|scp |sshd




------- Comment #3 from dtucker [at] zip 2006-07-06 10:38 -------
The problem is not with scp but with sshd (since scp invokes ssh which
in turn talks to sshd.

The difference is that loginsuccess is only called as part of the login
recording, which only happens for "interactive" logins (ie ones where
you get a pty). You should see the same thing if, instead of scp, you
ran something like "ssh yourserver true" and checked the failed login
count afterward.

Not sure what to do about it, though. We can call loginsuccess
immediately after successful authentication but that will mean calling
it a second time when the pty is allocated.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at mindrot

Jul 7, 2006, 5:46 AM

Post #5 of 6 (972 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp [In reply to]

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #4 from johntmills [at] yahoo 2006-07-07 22:46 -------
(In reply to comment #3)
You should see the same thing if, instead of scp, you
> ran something like "ssh yourserver true" and checked the failed login
> count afterward.

This is confirmed.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at mindrot

Jul 7, 2006, 4:28 PM

Post #6 of 6 (996 views)
Permalink
[Bug 1207] unsuccessful_login_count gets incremented by scp [In reply to]

http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #5 from dtucker [at] zip 2006-07-08 09:28 -------
Created an attachment (id=1157)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1157&action=view)
Always call loginsuccess immediately after authentication.

This patch should fix your immediate problem.

It's probably not ideal as it will result in two audit records for an
interactive login (not sure if that matters as I don't use AIX
auditing). I would be interested to hear from anyone who does use
AIX's audit facility.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
http://lists.mindrot.org/mailman/listinfo/openssh-bugs

OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.