Mailing List Archive

På 1999-Dec-26 klokka 13:50:53 +1100 skrivet Damien Miller:

: A way to disable authentication failure delays on a per-function call
: basis would be great as well.

Look at:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html

and search for `pam_fail_delay' and see if that isn't what you need for
this.

--
jim knoble
jmknoble@pobox.com

On Sun, 26 Dec 1999, Damien Miller wrote:

> Is there any way to disable logging of failures during
> pam_authenticate?

PAM does not have control over the logging process during pam_authenticate,
that's left up to the individual modules. You may be able to turn logging off
for individual modules; however--

> The problem is that OpenSSH likes to try a blank password attempting
> any other authentication. This is a shortcut for anonymous SSH servers
> (e.g. OpenBSD's CVS repositories). I expect that this test will fail
> in the vast majority of cases, but it speeds things up significantly
> when it succeeds.

wouldn't it be more reasonable to ask ssh to not try null passwords? There
could be any number of modules that would be used in the PAM auth section, and
all of them may have an opinion on what should be logged. Some of them may be
well-behaved and let you disable logging, but then you've also disabled
logging for any genuine attacks against you using that service.

Perhaps, as with Samba's client utils, a commandline option could be added to
openssh's client to specify the use of a null password? That way, you don't
have to worry about prompts when the connection is scripted, and you get
around the logging issue as well.

-Steve Langasek
postmodern programmer