Solaris 10
Unix account gets locked out when the auth failure field hits the specified maximum
auth failure field in /etc/shadow increments, regardless of securid authentication success or failure.
pamuser:*LK*$1$5w4mtZfr$HOdyBX4yo6OQr1texZNYr0:13503::::::5
Adding the following line to the pam.conf causes the sshd-none to be handled, which in turn stops the auth failure flag from incrementing.
sshd-none auth optional pam_deny.so.1
** This is a workaround only. The workaround appears to sole the problem but should be used with caution
Sun has published the following articles on their customer KB:
Bug ID: 5033461
Synopsis: default /etc/pam.conf should have entry for sshd-none with
pam_deny.so.1
Category: ssh
Subcategory: pam
State: 6-Fix Understood
Description:
The default system /etc/pam.conf should have an entry for sshd-none thus:
sshd-none auth required pam_deny.so.1
sshd-none account required pam_deny.so.1
sshd-none session requried pam_deny.so.1
sshd-none password required pam_deny.so.1
Bug ID: 6365483
Synopsis: Re-open of 4890177: sshd always increments /etc/shadow auth failure
field
Category: ssh
Subcategory: pam
State: 11-Closed
Description:
This is a reopen of bug 4890177: sshd always increments /etc/shadow auth
failure field
This problem (re-)appeared in Solaris 10 GA (s10_74L2a) using following
testcase:
1) on sshd server, /etc/security/policy.conf:
...
LOCK_AFTER_RETRIES=YES
CRYPT_DEFAULT=__unix__
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
2) 2 users: user1 and user2
a)for each user:
# ssh-keygen -t dsa
b)copy ~/.ssh/id_dsa.pub of user1 to ~/.ssh/authorized_keys user2
(and vice versa)
# cat /etc/shadow
...
user2:DBBYb8C5v19YQ:13137::::::
3) as user1:
$ ssh user2@sshd_servername
$ uid=4002(user2) gid=1(other)
# cat /etc/shadow
...
user2:DBBYb8C5v19YQ:13137::::::1
Putting pam in debug more, we can see:
<omitted log file>
As one can see, the "none" auth method is always run with the empty string as
the password, and this is what is causing the counter to increment.
Date Modified: 2005-12-20 14:54:09 GMT+00:00
Work Around:
From the comments:> Add the following lines to /etc/pam.conf> sshd-none auth
required pam_deny.so.1> sshd-none account required pam_deny.so.1> sshd-none
session required pam_deny.so.1> *** (#1 of 2): 2005-12-20 08:55:03 CST
xxxx@sun.com
However, it should suffice to have:
sshd-none auth required pam_deny.so.1
Related Articles
RSA Authentication Manager 8.1 Hardware Appliance Getting Started (Dell) Number of Views RSA Authentication Manager 8.2 Hardware Appliance Getting Started Number of Views RSA Authentication Manager 8.1 Hardware Appliance Getting Started (Intel) Number of Views RSA Authentication Manager 8.6 Hardware Appliance Getting Started Number of Views RSA Authentication Manager 8.3 Dell Hardware Appliance Getting Started Number of Views
Trending Articles
How to Download OTP Token Seed Files from myRSA RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
