On 05 Sep 2003 16:30:03 -0500 Bret Hughes <[EMAIL PROTECTED]> wrote: > On Fri, 2003-09-05 at 13:10, Peter Fleck wrote: > > Hi, > > > > Following are two entries from our /var/log/messages file and I'm > > wondering about the 'authentication failure' part. This seems to > > happen with every login, at least remote, although the user logs in > > normally with no problem. Can we change some setting to make this go > > away? > > > > Thanks. > > As far as I know the only way is to either downgrade the sshd rpm from > the latest released by redhat or install the one from openssh.org. > > There are a couple of bugs at bugzilla.redhat.com regarding this but the > guy responsible does not seem to care about false failure messages. I > found that unacceptable and installed the openssh rpms on some of my > machines and left the old rom in place on others. I forget the RH > versions that made it hard to do the openssh stuff. > > Since I only pay for one copy of rh each release and then run it > (significantly customized) on about 45 machines I did not feel like I > had the right to try and escalate the issue past the guy that maintains > the rpm. Sort of pissed a few folks off though. > > I think it is a function of how many people actually look at the logs > and complain, not many I guess. > > If there is a fix as well as stopping the login delay on a successful > logins (where is the information leakage there?) I would like to know > about it since I really like to keep the installation on my 4 servers as > stock as possible. >
Hey Bret, You can add the "nodelay" option in /etc/pam.d/system-auth: auth sufficient /lib/security/$ISA/pam_unix.so likeauth nodelay I do have a one line source change that removes the need for the above, has zero information leak, and still presents a delay if someone types a password incorrectly. The patch makes the sshd_config option "PermitEmptyPasswords" more meaningful when set to "no". (ie. sshd no longer asks pam if the user can log in without a password). Nobody seems interested in the patch upstream though. If you'd like an updated RPM let me know. Cheers, Sean -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
