忘记密码   免费注册 查看新帖 | 论坛精华区

ChinaUnix.net

  平台 论坛 博客 认证专区 大话IT HPC论坛 徽章 文库 沙龙 自测 下载 频道自动化运维 虚拟化 储存备份 C/C++ PHP MySQL 嵌入式 Linux系统
12345下一页
最近访问板块 发新帖
查看: 16730 | 回复: 42

SSH maxauthtries参数不生效!! [复制链接]

论坛徽章:
0
发表于 2010-01-28 12:27 |显示全部楼层
10可用积分
已试过N次了! 就是不生效(maxauthtries不论改成何值,每次都最多可尝试三次提示符连接)!! 系统也都重启过!

#
# pkginfo -l SUNWsshdr
   PKGINST:  SUNWsshdr
      NAME:  SSH Server, (Root)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.9.0,REV=2002.04.06.15.27
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Server
    PSTAMP:  crash20020406153754
  INSTDATE:  Nov 10 2004 13:35
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:       15 installed pathnames
                   8 shared pathnames
                   5 linked files
                   8 directories
                   1 executables
                  13 blocks used (approx)
#
#
# pkginfo -l SUNWsshdu
   PKGINST:  SUNWsshdu
      NAME:  SSH Server, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.9.0,REV=2002.04.06.15.27
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Secure Shell protocol Server
    PSTAMP:  leo20040714125614
  INSTDATE:  Nov 10 2004 14:10
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:        5 installed pathnames
                   3 shared pathnames
                   3 directories
                   2 executables
                1441 blocks used (approx)
#
#
# uname -a
SunOS itsvr1 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Fire-480R
#
#
# more /etc/ssh/sshd_config
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ident "@(#)sshd_config        1.3     01/10/08 SMI"
#
# Configuration file for sshd(1m)

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
Protocol 2

# Both v1 and v2 (not recommended)
#Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding no
X11DisplayOffset 10

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
#Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no
CheckMail no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Default Encryption algorithms and Message Authentication codes
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS    hmac-sha1,hmac-md5

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    12      
MaxAuthTriesLog 6

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
# PermitRootLogin no
  PermitRootLogin yes

# sftp subsystem
Subsystem       sftp    /usr/lib/ssh/sftp-server


# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes
#
#



#
#
# ssh ittest@itsvr1
ittest@itsvr1's password:
Permission denied, please try again.
ittest@itsvr1's password:
Permission denied, please try again.
ittest@itsvr1's password:
Unable to find an authentication method
#
#

[ 本帖最后由 lylklb 于 2010-1-28 12:28 编辑 ]

论坛徽章:
0
发表于 2010-01-28 12:47 |显示全部楼层

回复 #1 lylklb 的帖子

论坛徽章:
0
发表于 2010-01-29 09:00 |显示全部楼层
此问题困惑了我很久了! 但一直没有什么进展!!
我曾调试过系统基于telnet方式下的/etc/default/login文件中的RETRIES参数值是成功生效的!
显然,问题应该还是出在ssh上! 那个MaxAuthTries参数值就是不生效!

真的希望哪个高人能指点下啊!!

论坛徽章:
0
发表于 2010-02-01 23:23 |显示全部楼层
急切等待有高人相助啊 !!!    如果觉得悬赏积分不够的话,  也可以提供有偿现金回报!!

论坛徽章:
0
发表于 2010-02-02 00:06 |显示全部楼层
怪了哦

论坛徽章:
0
发表于 2010-02-02 00:12 |显示全部楼层
难道是系统级的在其他地方还有做限制/

论坛徽章:
0
发表于 2010-02-02 00:19 |显示全部楼层
本帖最后由 yuhuohu 于 2010-02-02 00:22 编辑

貌似ssh在提示输入密码时已经进行过数次密钥验证尝试了,lz可用ssh -v(具体是不是这个参数请看man)开启ssh连接的debug模式来查看详细的过程,注意数一数消息中的next auth method之类的信息出现的次数,再和你设置的maxauthtries的次数对一对

我觉得如果把maxauthtries设置大些,比如20应该会让你多输入几次密码吧

论坛徽章:
0
发表于 2010-02-03 15:53 |显示全部楼层
lz去哪了?

论坛徽章:
0
发表于 2010-02-03 19:47 |显示全部楼层
TO  7F  yuhuohu:

   其实,  我已不仅把ssh都调到 -vvv最高模式,  且同时仅开启保留了PasswordAuthentication模式(即已停用PubkeyAuthentication和ChallengeResponseAuthentication模式) ,  所以并不存在next auth method之类信息的计数问题! (这其中也包括将maxauthtries调到20, 与其他相对低值的-vvv输出也都同样无区别!!)

论坛徽章:
0
发表于 2010-02-03 20:49 |显示全部楼层
这么奇怪啊 lz能把ssh -v的输出帖来看看吗
您需要登录后才可以回帖 登录 | 注册

本版积分规则

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号 北京市公安局海淀分局网监中心备案编号:11010802020122
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员  联系我们:
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP