Ssh – pam_tally2 or pam_faillock account lockout with ssh

pamredhatssh

I'm running RHEL 6.2. Most users will be using SSH to login using passwords. Some might have keys. All accounts are local.

I need to lock users out after N failed password logins.

The examples in man pam_tally2 and pam_faillock do not lock a user using ssh out. The pam_tally2 example can lock a telnet (I enabled to test) login & subsequently will lock an ssh user out. ssh cannot trigger it.

/etc/ssh/sshd_config has:

PasswordAuthentication yes # setting to no doesn't allow login with a password!
UsePAM yes
UseLogin no # setting to yes doesn't allow putty logins

Man page examples should work on an unaltered system.

Best Answer

If you enable PasswordAuthentication then the SSH daemon handles passwords itself and not using PAM. You actually want to disable this in order to force it to use PAM:

PasswordAuthentication no
UsePAM yes
ChallengeResponseAuthentication yes

That won't catch users using keys however (although personally I think that's fine). If you do you'll probably have to use something like fail2ban which looks for authentication failures in the logs and adds iptables rules to block future attempts.

Related Solutions

SSH-Key Login – Requiring from Specific IP Ranges

Not sure how PAM would need to fit into this. With a recent version of SSH (like what is available on 8.04) it should be as easy as using a Match blocks for the address space you wish to allow.

So your sshd_config should contain something like this.

# global option no password auth (keys only)
PasswordAuthentication no

# permit password from rfc1918
Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
  PasswordAuthentication yes

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH-Key Login – Requiring from Specific IP Ranges

Ssh – How to automate SSH login with password

Related Topic