Ubuntu – pam service(sshd) ignoring max retries

pamsshUbuntu

I have vps that I use to run a webserver on, it currently runs ubuntu server 12.04. Since a few weeks I keep getting a lot of errors in my ssh console.

2014 Apr 11 08:41:18 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:21 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:24 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:25 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:26 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:29 vps847 PAM service(sshd) ignoring max retries; 6 > 3
2014 Apr 11 08:41:29 vps847 PAM service(sshd) ignoring max retries; 6 > 3

Could someone please tell me what these errors mean. Or at least tell me how to disable these errors. It is realy anoying when I am working over ssh and these errors keep popping up all over my screen.

Best Answer

PAM is telling you that it is configured with "retry=3" and it will ignore any further auth requests from sshd within the same session. SSH however will continue trying until it exhausts MaxAuthTries setting (which defaults to 6).

You should probably set both of these (SSH and PAM) to same value for maximum auth retries.

Updated

To change this behaviour:

For sshd you edit /etc/ssh/sshd_config and set MaxAuthTries 3. Also restart SSH server for the setting to take effect.

For PAM, you have to look for configuration in /etc/pam.d directory (I think it's common-password file in Ubuntu), you have to change retry= value.

Note: I would strongy suggest to also check Peter Hommel's answer regarding the reason of these requests as it's possible your SSH is being brute-forced.

Related Solutions

Ssh – Multiple sshd instances using different PAM configurations

Unfortunately the service name chosen by the program is hard coded. You will most likely have to modify the sshd source and re-compile.

The reason they do this instead of just passing ARGV[0] as the service name is for security reasons. If the pam.d/file was chosen based off ARGV[0] (the program name) then at attacker could possibly symlink/hardlink/cp that program to a name of her choosing. One that had the least restrictions within it's associated pam.d/file.

Search the source for a string such as:

int pam_start(

===================

UPDATE:

auth-pam.h shows the servicename set to:

__progname

This means that you CAN just change the progname and it will look for a pam file of the new name. Not a good security practice and I am kinda surprised by this. Maybe someone knows something I don't..since the OpenBSD guys are a much smarter bunch than myself. :p

UPDATE 2:

Verified that PAM servicename is set to the basename by doing the following from the console:

cp sshd to sshd2:

[root@cent ~]# cp /usr/sbin/sshd /usr/sbin/sshd2

stop the current sshd and start the new one:

[root@cent ~]# /etc/init.d/sshd stop
[root@cent ~]# /usr/sbin/sshd2

Start strace on the new sshd and attempt an ssh login from another comp.

[root@cent ~]# strace -fp 5835 -e trace=open -o ssh_results&

Find which pam file:

[root@cent ~]# grep -i pam.d ssh_results 
6116  open("/etc/pam.d/sshd2", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

sshd2 (basename)

SSH – How to Check SSHD Log

If no one else is using the system at the moment you could do what i've done in such cases:

stop sshd service (at least i've been able to do this while logged in via ssh)
start sshd manually and add some -d options to get more verbose debug output. Unless you have something funky going on it should use the same keys and config it does when started properly

Best Answer

Related Solutions

Ssh – Multiple sshd instances using different PAM configurations

SSH – How to Check SSHD Log

Related Topic