Hi,
first let me thank you for all the excellent work with openssh!
Bug-Description (for AIX only - current release 4.3.3):
During password-authentication if a user enters a wrong
password, the failed attempt is not at all recorded in
/etc/security/lastlog, although the loginfailed()
subroutine in auth1.c is supposed to do that.
Suggestion:
In AIX the loginfailed() subroutine should be called
if and only if
the user enters a wrong password:
From 'man loginfailed':
..."A login failure audit record is cut to indicate that
an unsuccessful login attempt occurred. A utmp entry
is appended to /etc/security/failedlogin file,
which tracks all failed login attempts." ...
So it seems that in auth1.c the loginfailed() subroutine
is on the wrong place. It should be immediately after
the password-authentication.
Bug-Fix:
The following fix works for us:
------------------------------------------------------------------------
diff auth-passwd.c.orig auth-passwd.c
151c151,160
< return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
---
> { int iau;
> iau = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
> debug("auth-passwd (FZJ-authenticate): rc: %d msg: %s", iau,
authmsg);
> if (iau)
> return 1;
> loginfailed(authctxt->user,
> get_canonical_hostname(options.reverse_mapping_check),
> "ssh");
> return 0;
> }
-------------------------------------------------------------------------
Many thanks for your attention and best regards from Germany
Klaus
--
Klaus Wolkersdorfer ([EMAIL PROTECTED])
Zentralinstitut fuer Angewandte Mathematik (ZAM) Tel: +49-2461-61-6579
John von Neumann - Institute for Computing (NIC) Fax: -6656
Forschungszentrum Juelich GmbH, D-52425 Juelich, Germany
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
