SSH maxauthtries参数不生效！！

doging

你光设定是sshd登录次数是不管用的，ssh client也需要设定，要不ssh client在失败三次会发出中断信号

请看以下测试

more sshd_config
# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    9
MaxAuthTriesLog 6


root@sun880-1 # ssh -l root 10.110.157.120
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
root@sun880-1 #


root@sun880-1 # ssh -o NumberOfPasswordPrompts=8 -l root 10.110.157.120
Password:
Password:
Password:
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).




root@sun880-1 # vi ssh_config
"ssh_config" 31 lines, 861 characters
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ident "@(#)ssh_config 1.2     01/10/08 SMI"
#
# This file provides defaults for ssh(1).
# The values can be changed in per-user configuration files $HOME/.ssh/config
# or on the command line of ssh(1).

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file /etc/ssh/ssh_config
#
# Any configuration value is only changed the first time it is set.
# host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Example (matches compiled in defaults):
#
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   PubkeyAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   EscapeChar ~
NumberOfPasswordPrompts 8

~
~
~
~
~
~
~
~
~
~
~
~
~
"ssh_config" 33 lines, 888 characters
root@sun880-1 # ssh -l root 10.110.157.120
Password:
Password:
Password:
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

yuhuohu

你光设定是sshd登录次数是不管用的，ssh client也需要设定，要不ssh client在失败三次会发出中断信号

请 ...
doging 发表于 2010-03-05 10:13

    估计这个是问题的根源 doging厉害

lylklb

To doging:

   非常感谢!
   我按照你的方法,做了如下测试! 与原来不同的是,  突破了原有客户端的默认三次设置, 但目前始终只能停留在服务齐端的默认六次!! (尽管我已将MaxAuthTries为20的sshd服务守护进程已重启过!!)

sunv480-1 #
sunv480-1 # vi ssh_config      
"ssh_config" 33 lines, 900 characters
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ident "@(#)ssh_config 1.2     01/10/08 SMI"
#
# This file provides defaults for ssh(1).
# The values can be changed in per-user configuration files $HOME/.ssh/config
# or on the command line of ssh(1).

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file /etc/ssh/ssh_config
#
# Any configuration value is only changed the first time it is set.
# host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Example (matches compiled in defaults):
#
# Host *
#   ForwardAgent no
#   ForwardX11 no
PubkeyAuthentication no
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   EscapeChar ~
NumberOfPasswordPrompts 15
~
~
"ssh_config" 32 lines, 883 characters
sunv480-1 #
sunv480-1 #
sunv480-1 # ssh user2@sunv480-2
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Received disconnect: 2: too many failed userauth_requests
sunv480-1 #
sunv480-1 #
sunv480-1 #
sunv480-1 # ssh -o NumberOfPasswordPrompts=15 user2@sunv480-2
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Received disconnect: 2: too many failed userauth_requests
sunv480-1 #
sunv480-1 #

注: 在最后的实际调测中发现,  仅当sshd_config中的MaxAuthTries参数设为≤6时, 客户端的NumberOfPasswordPrompts是成功生效的! 但当MaxAuthTries设定>6时, 客户端的NumberOfPasswordPrompts的实际生效值永远停留在6!! 这是为何呢!?

yuhuohu

To doging:

   非常感谢!
   我按照你的方法,做了如下测试! 与原来不同的是,  突破了原有客户端的默认三 ...
lylklb 发表于 2010-03-08 18:43

    哎，咋，咋...又出新问题la，佩服LZ的认真精神，期待下一个高人出现

doging

编辑service /etc/default/login并重起sshd进程
RETRIES=50

哇卡卡卡卡{:2_168:}

# cd /etc/default
# vi login
"login" [Read only] 77 lines, 2262 characters
.............................
..........................
# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
RETRIES=50
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
"login" 77 lines, 2262 characters


root@sun880-2 # ssh -o NumberOfPasswordPrompts=15 -l root 10.110.157.120
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
root@sun880-2 #
root@sun880-2 #

lylklb

已经完全按照你的方法做了!  但结果仍无效!   其实,我始终认为/etc/default/login中的RETRIES值是仅针对系统telnet登陆方式的, 而且对此参数的设定在telnet上测试也是一直每次成功生效的! 但实际经调测对sshd方式是无效的!!  所以,  现在问题的焦点还是在于sshd_config中的MaxAuthTries参数只有设为≤6时ssh_config中的NumberOfPasswordPrompts才会有效呢!?

root@sunv480-2 #
root@sunv480-2 # date
Tue Mar  9 15:47:56 CST 2010
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # ps -ef|grep sshd
    root 24682     1  0 15:47:17 ?        0:00 /usr/lib/ssh/sshd
    root 24992 24700  0 15:48:00 pts/3    0:00 grep sshd
    root 24698 24682  0 15:47:39 ?        0:00 /usr/lib/ssh/sshd
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # ps -ef|grep sshd
    root 24682     1  0 15:47:17 ?        0:00 /usr/lib/ssh/sshd
    root 24698 24682  0 15:47:39 ?        0:00 /usr/lib/ssh/sshd
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # cd /etc/ssh               
root@sunv480-2 #
root@sunv480-2 # ls -l sshd_config
-rw-r--r--   1 root     sys         5128 Mar  9 14:22 sshd_config
root@sunv480-2 #
root@sunv480-2 # ls -l /etc/default/login
-rw-r--r--   1 root     other       2015 Mar  9 14:58 /etc/default/login
root@sunv480-2 #      
root@sunv480-2 # grep -i maxauth sshd_config
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries   11      
root@sunv480-2 #  
root@sunv480-2 #
root@sunv480-2 # ls -l ssh_config  
-rw-r--r--   1 root     sys          883 Mar  8 17:15 ssh_config
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # tail -5 ssh_config
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   EscapeChar ~
NumberOfPasswordPrompts 15
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # grep -i retrie /etc/default/login
# login will wait after RETRIES failed attempts or the PAM framework returns
# RETRIES determines the number of failed logins that will be
RETRIES=50
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # ps -ef|grep sshd                 
    root 24682     1  0 15:47:17 ?        0:00 /usr/lib/ssh/sshd
    root 25061 24700  0 15:49:29 pts/3    0:00 grep sshd
    root 24698 24682  0 15:47:39 ?        0:00 /usr/lib/ssh/sshd
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 #  
root@sunv480-2 #
root@sunv480-2 # ssh user2@sunv480-2
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Received disconnect: 2: too many failed userauth_requests
root@sunv480-2 #
root@sunv480-2 #
root@sunv480-2 # ssh user2@sunv480-2
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Permission denied, please try again.
user2@sunv480-2's password:
Received disconnect: 2: too many failed userauth_requests
root@sunv480-2 #
root@sunv480-2 #

doging

修改/etc/default/login后重起sshd进程了吗？

svcadm restart ssh

lylklb

1. 第一种方法:
#/etc/rc2.d/K03sshd stop  
#/etc/rc3.d/S89sshd start

2.第二种方法:
#/etc/rc3.d/S89sshd restart

3. 第三种方法:
#kill -9 <All_sshd_processes>  
#/etc/rc3.d/S89sshd start

我就差重启系统了!!  生产系统非紧急情况， 不能重启!!

doging

看看O 的系统

root@blade150-a # more sshd_config |grep Max
#MaxStartups 10:30:60
# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    30
MaxAuthTriesLog 6
root@blade150-a # more /etc/default/login |grep RETRIES
# login will wait after RETRIES failed attempts or the PAM framework returns
# RETRIES determines the number of failed logins that will be
# will be locked if failed logins equals or exceeds RETRIES.
RETRIES=30
root@blade150-a #





root@sun880-1 # more ssh_config |grep Number
NumberOfPasswordPrompts 30


root@sun880-1 # more /etc/default/login|grep RETRIES
# login will wait after RETRIES failed attempts or the PAM framework returns
# RETRIES determines the number of failed logins that will be
# will be locked if failed logins equals or exceeds RETRIES.
#RETRIES=5
root@sun880-1 # ssh -l root 10.110.157.120
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Password:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

doging

服务端修改sshd_conf login
客户端修改ssh_conf

不要修改错了