On Sun, Mar 19, 2017 at 11:47 PM, Lars Noodén <[email protected]> wrote:
> Looking at a recent snapshot, see dmesg at the bottom, I have two
> questions about OpenSSH logging.
>
> 1) The entry in sshd_config(5) for MaxAuthTries states the following
> about log entries:
>
> ... Once the number of failures reaches half this
> value, additional failures are logged. The default is 6.
>
> Yet the logging of failures seems to occur these days from the very first
try.
> Has this behavior changed?
No, but it's always logged password attempts regardless of whether or
not you've got to MaxAuthTries/2:
$ cvs annotate auth.c | grep -C2 max_auth
Annotations for auth.c
***************
1.13 (markus 18-Jan-01): if (authenticated == 1 ||
1.13 (markus 18-Jan-01): !authctxt->valid ||
1.54 (dtucker 23-May-04): authctxt->failures >=
options.max_authtries / 2 ||
1.13 (markus 18-Jan-01): strcmp(method, "password") == 0)
1.47 (itojun 08-Apr-03): authlog = logit;
> 2) The client gets disconnected before MaxAuthTries is reached. If I
> have it set to 6, I get 5 only tries:
Your log level isn't high enough to see it, but I suspect you have a
failed pubkey attempt before the password attempts. You should be
able to see it if you add "-vvv" to the command line.
[...]
> Is there any way to get the full number of MaxAuthTries log in attempts?
Assuming my guess above is correct, PreferredAuthentications=password
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
