Mailing List Archive

[Bug 1207] unsuccessful_login_count gets incremented by scp
http://bugzilla.mindrot.org/show_bug.cgi?id=1207

Summary: unsuccessful_login_count gets incremented by scp
Product: Portable OpenSSH
Version: 4.3p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: major
Priority: P1
Component: scp
AssignedTo: bitbucket@mindrot.org
ReportedBy: johntmills@yahoo.com


On AIX 5.2 unsuccessful_login_count is incremented by scp because
loginsuccess is not run. ssh will run the loginsuccess but scp does
not. Since lastlog is not reset users can lock themselves out of
the system via our max failure checks.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1207] unsuccessful_login_count gets incremented by scp [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #1 from johntmills@yahoo.com 2006-07-06 01:02 -------
Created an attachment (id=1153)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1153&action=view)
Config.log from openssh 4.3p1, openssl 0.9.8




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1207] unsuccessful_login_count gets incremented by scp [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #2 from johntmills@yahoo.com 2006-07-06 01:14 -------
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=0 roles=
root> touch /tmp/jtm
root> chown jtm /tmp/jtm
root> scp /tmp/jtm jtm@posidon:/home/jtm/
jtm@posidon's password:
jtm
100% 16KB 0.0KB/s 00:00
root> ssh posidon "lsuser -R LDAP jtm"
jtm ... unsuccessful_login_count=1 roles=




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1207] unsuccessful_login_count gets incremented by scp [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=1207


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |1155
nThis| |
Status|NEW |ASSIGNED
Component|scp |sshd




------- Comment #3 from dtucker@zip.com.au 2006-07-06 10:38 -------
The problem is not with scp but with sshd (since scp invokes ssh which
in turn talks to sshd.

The difference is that loginsuccess is only called as part of the login
recording, which only happens for "interactive" logins (ie ones where
you get a pty). You should see the same thing if, instead of scp, you
ran something like "ssh yourserver true" and checked the failed login
count afterward.

Not sure what to do about it, though. We can call loginsuccess
immediately after successful authentication but that will mean calling
it a second time when the pty is allocated.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1207] unsuccessful_login_count gets incremented by scp [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #4 from johntmills@yahoo.com 2006-07-07 22:46 -------
(In reply to comment #3)
You should see the same thing if, instead of scp, you
> ran something like "ssh yourserver true" and checked the failed login
> count afterward.

This is confirmed.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1207] unsuccessful_login_count gets incremented by scp [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=1207





------- Comment #5 from dtucker@zip.com.au 2006-07-08 09:28 -------
Created an attachment (id=1157)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1157&action=view)
Always call loginsuccess immediately after authentication.

This patch should fix your immediate problem.

It's probably not ideal as it will result in two audit records for an
interactive login (not sure if that matters as I don't use AIX
auditing). I would be interested to hear from anyone who does use
AIX's audit facility.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs