bin/141016: PAM checks in sshd too few?

Olaf Seibert O.Seibert at
Mon Nov 30 10:40:02 UTC 2009

>Number:         141016
>Category:       bin
>Synopsis:       PAM checks in sshd too few?
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 30 10:40:00 UTC 2009
>Originator:     Olaf Seibert
>Release:        FreeBSD 8.0-RC2 amd64
System: FreeBSD 8.0-RC2 FreeBSD 8.0-RC2 #3: Mon Nov 2 12:56:50 CET 2009 root at amd64

	I use port security/pam_af to help me against brute force
	login attacks. I use it both on FreeBSD and NetBSD.

	It works by being first in the "auth" list of the PAM config
	file. It hooks into pam_sm_authenticate(), where it registers a
	(potentially failed) login attempt. If the counter is too high,
	it blocks the login.
	Then later, if pam_am_setcred() is called, it registers the
	login attempt as success by resetting the login attempt counter.

	I have observed a significant difference in behaviour on both
	OSes, and I think FreeBSD is significantly less secure than it
	could (and should) be.

	Sshd is logging large amounts of login attempts. However, hardly
	any of the hosts involved end up blocked by pam_af.

	This can only mean that pam_sm_authenticate() isn't always
	called for all login attempts. It seems like it is only called
	for login attempts with actually existing users.

	NetBSD's sshd, on the other hand, nicely registers these
	attempts and blocks the offending hosts.

	In my opinion, it would be better if FreeBSD did the same. It
	would make tools like pam_af much more effective.

	I first noticed this on FreeBSD 6.1, but it is unchanged in 8.0.

	I notice another port, security/pam-abl, which at a
	glance appears to work similarly so it would fail similarly.

	Install security/pam_af and observe its statistics database.
	See that almost none of the hosts that sshd logs are in it.
	Sorry, I don't know what diversion has grown between both *BSD's
	sshd. Diffs appear to be large though.

-Olaf Seibert.


More information about the freebsd-bugs mailing list