bin/141016: PAM checks in sshd too few?
O.Seibert at cs.ru.nl
Mon Nov 30 10:40:02 UTC 2009
>Synopsis: PAM checks in sshd too few?
>Arrival-Date: Mon Nov 30 10:40:00 UTC 2009
>Originator: Olaf Seibert
>Release: FreeBSD 8.0-RC2 amd64
System: FreeBSD fourquid.cs.ru.nl 8.0-RC2 FreeBSD 8.0-RC2 #3: Mon Nov 2 12:56:50 CET 2009 root at fourquid.cs.ru.nl:/usr/src/sys/amd64/compile/FOURQUID amd64
I use port security/pam_af to help me against brute force
login attacks. I use it both on FreeBSD and NetBSD.
It works by being first in the "auth" list of the PAM config
file. It hooks into pam_sm_authenticate(), where it registers a
(potentially failed) login attempt. If the counter is too high,
it blocks the login.
Then later, if pam_am_setcred() is called, it registers the
login attempt as success by resetting the login attempt counter.
I have observed a significant difference in behaviour on both
OSes, and I think FreeBSD is significantly less secure than it
could (and should) be.
Sshd is logging large amounts of login attempts. However, hardly
any of the hosts involved end up blocked by pam_af.
This can only mean that pam_sm_authenticate() isn't always
called for all login attempts. It seems like it is only called
for login attempts with actually existing users.
NetBSD's sshd, on the other hand, nicely registers these
attempts and blocks the offending hosts.
In my opinion, it would be better if FreeBSD did the same. It
would make tools like pam_af much more effective.
I first noticed this on FreeBSD 6.1, but it is unchanged in 8.0.
I notice another port, security/pam-abl, which at a
glance appears to work similarly so it would fail similarly.
Install security/pam_af and observe its statistics database.
See that almost none of the hosts that sshd logs are in it.
Sorry, I don't know what diversion has grown between both *BSD's
sshd. Diffs appear to be large though.
More information about the freebsd-bugs